US20070115940A1 - Method and system for multi-level secure personal profile management and access control to the enterprise multi-modal communication environment in heterogeneous convergent communication networks - Google Patents

Method and system for multi-level secure personal profile management and access control to the enterprise multi-modal communication environment in heterogeneous convergent communication networks Download PDF

Info

Publication number
US20070115940A1
US20070115940A1 US11/444,566 US44456606A US2007115940A1 US 20070115940 A1 US20070115940 A1 US 20070115940A1 US 44456606 A US44456606 A US 44456606A US 2007115940 A1 US2007115940 A1 US 2007115940A1
Authority
US
United States
Prior art keywords
user
authentication
telephone
map engine
communication terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US11/444,566
Other versions
US8406421B2 (en
Inventor
Vladimir Kamen
Farzad Naimi
Kayvan Alikhani
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
EMC Corp
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to US11/444,566 priority Critical patent/US8406421B2/en
Assigned to LITESCAPE TECHNOLOGIES, INC. reassignment LITESCAPE TECHNOLOGIES, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ALIKHANI, KAYVAN, KAMEN, VLADIMIR, NAIMI, FARZAD
Priority to EP06256154.3A priority patent/EP1811740B1/en
Priority to CN201310338314.8A priority patent/CN103647886B/en
Publication of US20070115940A1 publication Critical patent/US20070115940A1/en
Assigned to PASSBAN, INC. reassignment PASSBAN, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: LITESCAPE TECHNOLOGIES, INC.
Application granted granted Critical
Publication of US8406421B2 publication Critical patent/US8406421B2/en
Assigned to EMC CORPORATION reassignment EMC CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: PASSBAN CORPORATION
Assigned to THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT reassignment THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT SECURITY AGREEMENT Assignors: ASAP SOFTWARE EXPRESS, INC., AVENTAIL LLC, CREDANT TECHNOLOGIES, INC., DELL INTERNATIONAL L.L.C., DELL MARKETING L.P., DELL PRODUCTS L.P., DELL SOFTWARE INC., DELL SYSTEMS CORPORATION, DELL USA L.P., EMC CORPORATION, EMC IP Holding Company LLC, FORCE10 NETWORKS, INC., MAGINATICS LLC, MOZY, INC., SCALEIO LLC, SPANNING CLOUD APPS LLC, WYSE TECHNOLOGY L.L.C.
Assigned to CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT reassignment CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT SECURITY AGREEMENT Assignors: ASAP SOFTWARE EXPRESS, INC., AVENTAIL LLC, CREDANT TECHNOLOGIES, INC., DELL INTERNATIONAL L.L.C., DELL MARKETING L.P., DELL PRODUCTS L.P., DELL SOFTWARE INC., DELL SYSTEMS CORPORATION, DELL USA L.P., EMC CORPORATION, EMC IP Holding Company LLC, FORCE10 NETWORKS, INC., MAGINATICS LLC, MOZY, INC., SCALEIO LLC, SPANNING CLOUD APPS LLC, WYSE TECHNOLOGY L.L.C.
Assigned to EMC IP Holding Company LLC reassignment EMC IP Holding Company LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: EMC CORPORATION
Assigned to THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A. reassignment THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A. SECURITY AGREEMENT Assignors: CREDANT TECHNOLOGIES, INC., DELL INTERNATIONAL L.L.C., DELL MARKETING L.P., DELL PRODUCTS L.P., DELL USA L.P., EMC CORPORATION, EMC IP Holding Company LLC, FORCE10 NETWORKS, INC., WYSE TECHNOLOGY L.L.C.
Assigned to THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A. reassignment THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A. SECURITY AGREEMENT Assignors: CREDANT TECHNOLOGIES INC., DELL INTERNATIONAL L.L.C., DELL MARKETING L.P., DELL PRODUCTS L.P., DELL USA L.P., EMC CORPORATION, EMC IP Holding Company LLC, FORCE10 NETWORKS, INC., WYSE TECHNOLOGY L.L.C.
Assigned to MOZY, INC., SCALEIO LLC, CREDANT TECHNOLOGIES, INC., DELL MARKETING L.P., ASAP SOFTWARE EXPRESS, INC., EMC IP Holding Company LLC, DELL PRODUCTS L.P., FORCE10 NETWORKS, INC., WYSE TECHNOLOGY L.L.C., DELL SYSTEMS CORPORATION, EMC CORPORATION, DELL SOFTWARE INC., AVENTAIL LLC, DELL USA L.P., DELL INTERNATIONAL, L.L.C., MAGINATICS LLC reassignment MOZY, INC. RELEASE BY SECURED PARTY (SEE DOCUMENT FOR DETAILS). Assignors: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH
Assigned to DELL PRODUCTS L.P., DELL USA L.P., DELL INTERNATIONAL L.L.C., DELL MARKETING CORPORATION (SUCCESSOR-IN-INTEREST TO ASAP SOFTWARE EXPRESS, INC.), DELL MARKETING L.P. (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO CREDANT TECHNOLOGIES, INC.), SCALEIO LLC, EMC IP HOLDING COMPANY LLC (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO MOZY, INC.), DELL MARKETING CORPORATION (SUCCESSOR-IN-INTEREST TO FORCE10 NETWORKS, INC. AND WYSE TECHNOLOGY L.L.C.), EMC CORPORATION (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO MAGINATICS LLC) reassignment DELL PRODUCTS L.P. RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040136/0001) Assignors: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT
Assigned to DELL USA L.P., EMC IP HOLDING COMPANY LLC (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO MOZY, INC.), DELL MARKETING L.P. (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO CREDANT TECHNOLOGIES, INC.), DELL INTERNATIONAL L.L.C., DELL MARKETING CORPORATION (SUCCESSOR-IN-INTEREST TO FORCE10 NETWORKS, INC. AND WYSE TECHNOLOGY L.L.C.), DELL PRODUCTS L.P., SCALEIO LLC, DELL MARKETING CORPORATION (SUCCESSOR-IN-INTEREST TO ASAP SOFTWARE EXPRESS, INC.), EMC CORPORATION (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO MAGINATICS LLC) reassignment DELL USA L.P. RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (045455/0001) Assignors: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/102Gateways
    • H04L65/1023Media gateways
    • H04L65/103Media gateways in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/1053IP private branch exchange [PBX] functionality entities or arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/142Managing session states for stateless protocols; Signalling session states; State transitions; Keeping-state mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/146Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles
    • H04L67/306User profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M1/00Substation equipment, e.g. for use by subscribers
    • H04M1/253Telephone sets using digital voice transmission
    • H04M1/2535Telephone sets using digital voice transmission adapted for voice communication over an Internet Protocol [IP] network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M1/00Substation equipment, e.g. for use by subscribers
    • H04M1/66Substation equipment, e.g. for use by subscribers with means for preventing unauthorised or fraudulent calling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/082Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying multi-factor authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M7/00Arrangements for interconnection between switching centres
    • H04M7/006Networks other than PSTN/ISDN providing telephone service, e.g. Voice over Internet Protocol (VoIP), including next generation networks with a packet-switched transport layer
    • H04M7/0078Security; Fraud detection; Fraud prevention

Definitions

  • the present invention relates generally to the field of voice-over-Internet-Protocol (VoIP) and particularly to IP telephones, capably processing, receiving and transferring voice, data and/or video streams, and being secure and controlled for secure profile management and convergent communications.
  • VoIP voice-over-Internet-Protocol
  • IP telephones telephones using Internet Protocol (IP) to communicate over the Internet, any local area network or any other IP network—currently offers less security than that of conventional telephones in the Public Switching Telephone Network. Security, remote access and controllability of communications terminals within the Internet are therefore highly desirable.
  • IP Internet Protocol
  • voice-enabled communications terminals such as IP phones
  • an embodiment and method of the present invention includes securely accessing a voice-enabled communication terminal using Internet Protocol by performing physical authentication, performing logical authentication, performing biometric authentication and performing authentication of a user and upon successful confirmation of the user, allowing access to the communication terminal.
  • FIGS. 1 ( a )-( d ) show different configurations of a secure service point (SSP) system 10 having multi-location enterprise heterogeneous convergent communication infrastructure enhanced with the hardware and software for secure personal profile management and access control to the enterprise communication and business services over convergent network according to the embodiment of the present invention.
  • SSP secure service point
  • FIG. 2 shows a multi-modal service-point convergent communication system 40 in accordance with an application of the system 10 of FIGS. 1 ( a )-( d ).
  • FIG. 3 depicts an example of a sample interaction flow chart of a session with a secure profile management.
  • FIG. 4 shows a system 402 including the system 40 but with another configuration in accordance with an alternate embodiment of the present invention.
  • FIG. 5 is a high-level sequence diagram depicting the flow of the session using Secure Service Point and Multi-Modal Application Platform environment of FIG. 4 .
  • FIG. 6 is a simplified overview of distributed heterogeneous convergent communication infrastructure enhanced with the hardware and software for Secure Service Access Point operations, provisioning, management and controlled access to the enterprise communication and business services over convergent network according to the embodiment of the present invention.
  • FIG. 7 is a high-level sequence diagram depicting the flow of the multi-level centralized authentication session using Secure Service Access Point and Multi-Modal Application Platform environment of the system 600 .
  • a secure service point (SSP) system 10 is shown with different configurations represented in each of the foregoing figures, in accordance with various embodiments of the present invention.
  • the SSP system 10 is shown to include an IP telephone 12 , a secure personal authentication reader (SPAR) device 14 , a network switch 16 and an IP network line 18 , in accordance with an embodiment of the present invention.
  • the IP telephone 12 is merely an example of a voice-enabled communication terminal; accordingly, any voice-enabled network device capable of being controlled remotely may be used in place thereof.
  • IP telephone and “VoIP telephone” are used interchangeably herein.
  • the SPAR device 14 in each of the FIGS. 1 ( a )-( d ) includes one or more readers with each reader generally being of a different type.
  • the SPAR device 14 is shown to include a number of readers, which are each readers 20 - 26 .
  • the SPAR device 14 while shown in the figures to include four readers, may include any number of readers.
  • each of the readers 20 - 26 may be of a different type, such a smart card reader, a biometric reader, a magnetic card or RFID, or of similar type. Examples of a reader are card readers, smart card readers, biometric reader or Radio Frequency Identification (RFID).
  • RFID Radio Frequency Identification
  • the SPAR device 14 may include any combination of 3 rd party magnetic card reader, smart card reader, RFID reader, any type of biometric information reader (fingerprint, palm print, iris/retina reader) and any type of keyboard input device, and is capable of reading, capturing and securely transmitting the captured authentication information to an IP network using either wired or wireless connection, as will become further evident shortly.
  • the readers 20 - 26 can be coupled to the network line 18 individually and independently, directly or using the switch 16 . Moreover, they can be combined into one enclosure and coupled directly to the network line 18 , as shown in FIGS. 1 ( a ) and 1 ( c ) or coupled through a built-in Ethernet port 30 on the telephone 12 , as shown in FIG. 1 ( b ) or couple to a built-in RS-232 port 32 on the telephone 12 , as shown in FIG. 1 ( d ).
  • the telephone 12 and the SPAR device 14 are shown coupled to the switch 16 , which is, in turn, shown coupled to the network line 18 .
  • the device 14 is generally affixed or in some manner connected to the telephone 12 at a location, for example, to the side or top or bottom of the telephone. An example location of the device 14 is at 34 .
  • the SPAR device 14 can be associated with a wired or wireless IP telephone, such as the IP telephone 12 , either by connection to the IP telephone through a dedicated RS-232 port on the phone, by connection to the IP network through a network switch on the IP phone, or by connection to the IP network through a physical connection separate from the IP telephone so that the user can use the keypad on the IP telephone as a keyboard input device and can use the IP telephone as a multi-modal communication device during an authentication procedure.
  • the combination of the IP telephone and the SPAR device 14 is, at times, referred to as “Secure Service Access Point” (SSAP).
  • SSAP Secure Service Access Point
  • the readers of the device 14 are individually coupled through the switch 16 , to the network line 18 , such as shown in FIG. 1 ( a ), different types of readers are clearly available for identification, whereas, in the case where one or fewer than the number of readers available are coupled through the switch 16 to the network line 18 , clearly fewer readers are available for identifying a user.
  • FIG. 1 ( d ) the connection of the device 14 to the network line 18 is through the telephone 12 and no switch is employed.
  • a connection 36 couples the device 14 to the telephone 12 and in one embodiment of the present invention, the connection 36 is a serial connection, such as RS-232.
  • a connection 38 couples the device 14 to the telephone 12 and in one embodiment of the present invention, it is a IP or network connection.
  • FIG. 2 shows a multi-modal service-point convergent communication system 40 in accordance with an application of the system 10 of FIGS. 1 ( a )-( d ).
  • the system 40 is generally utilized for secure personal profile management and access control to the enterprise communication and business services over a convergent network, in accordance with an embodiment of the present invention.
  • the system 40 is shown to include a location 1 intended to refer to a location in which the structures (or similar structures) included therein are present, a primary MAP environment 42 , a LAN 125 and a third party user management and access control environment 44 and counterparts thereto shown on the left side of the figure, as location 2 , which is a counterpart to location 1 , a backup MAP environment 48 , which is a counterpart to the primary MAP environment 42 and a third party enterprise business services environment 50 , in accordance with an embodiment of the present invention.
  • Location 1 is an exemplary embodiment, shown to include an IP PBX and IP media gateway 101 combined with IP/PSTN gateway 102 (at times referred to as a “softswitch”) which provides the functionality of a traditional telephone PBX in a modular, open and distributed fashion, including comprehensive call control operations (call setup, teardown, transfer, conference, etc.) and voice traffic/media control and management (establishing audio streams between participating communication end points, mixing the said streams in case of call conference, redirecting the said streams in case of call transfer, etc.) and is coupled through a voice LAN (VLAN) 104 to four Secure Profile Management Point (SPM) points 112 , 110 , 113 and 111 . While four SPM points are shown in FIG. 2 , any number thereof may be employed without departing from the scope and spirit of the present invention.
  • SPM Secure Profile Management Point
  • each SPM point there is shown an IP telephone and a SPAR device.
  • the SPM point 112 includes an IP telephone 105 and a SPAR device 108 and the SPM point 110 includes an IP telephone 105 and a SPAR device 106 and the SPM point 113 includes an IP telephone 105 and a SPAR device 115 and the SPM point 111 includes an IP telephone 105 and a SPAR device 107 .
  • the IP telephones and SPAR devices of each of the SPM points 112 , 110 , 113 and 111 resemble that of the IP telephone 12 and the SPAR devices 14 of FIGS.
  • the device 108 of the SPM point 112 includes a smart card reader, card reader, an RFID and a biometric reader whereas the device 106 only includes a biometric reader and so on.
  • An example of a component in the environments 44 and 50 is, for example Microsoft Office Active Directory by Microsoft, Inc. of Seattle, Wash. as the LDAP 120 . Basically, they offer business functionality.
  • the VLAN 104 is shown further coupled to the SPM points 112 , 110 , 113 and 111 and couples these SPM points to the IP PBX and media gateway 101 , which is, in turn, coupled, through the VLAN 104 to the IP/PSTN gateway 102 .
  • the gateway 102 is coupled, through a ISDN PRI trunk 103 , to the PSTN cloud 127 , thereby PSTN phones 128 to communicate with the IP telephone of any of the SPM points using VoIP, which is less costly and allows further flexibility and options, as will become evident shortly.
  • the VLAN 104 is further employed to couple the gateways 101 and 102 to the LAN/Wide Area Network (WAN) 126 .
  • WAN Wide Area Network
  • Location 2 includes similar structures as that shown and discussed relative to Location 1 , such as the IP/PSTN gateway 202 , which is similar to the gateway 102 of Location 1 , an IP PBX and media gateway 201 , similar to the gateway 101 of Location 1 , the combination of the gateway 201 and the gateway 202 functions substantially as a softswitch.
  • the SPM points 210 , 212 , 211 and 213 are similar to that shown and discussed of the SPM points 112 , 110 , 113 and 111 of Location 1 .
  • VLAN 204 couples the gateway 201 and the SPM points 210 , 212 , 211 and 213 in the same manner as discussed relative to the Location 1 and the gateway 202 and the gateway 201 are coupled through the VLAN 204 to the PSTN cloud 127 and to the LAN/WAN cloud 126 .
  • the VLAN 204 is further employed to couple the gateways 201 and 202 to the LAN/WAN 126 .
  • the LAN 125 couples the environment 44 to the environment 42 and further couples the environment 50 to the environment 48 .
  • the environment 42 is shown to include a Text-To-Speech (TTS) server 130 , an Automatic Speech Recognition (ASR) server 131 , a media server 117 , a MAP engine 116 and a RDBMS 118 .
  • the servers 130 and 131 are shown to be coupled to the VLAN 104 through a local area network connection 114 , as are the server 117 , the engine 116 and the RDBMS 118 , which are shown further coupled, through the connection 114 , to the LAN 125 .
  • the environment 48 is shown to include counterpart components to that of the components of the environment 42 because the environment 48 essentially serves as a backup environment to the environment 42 in the event a problem arises and any of the components of the environment 42 become inoperable. Accordingly, the coupling of the servers and/or engines of the environment 48 are the same as that of the environment.
  • the media server 217 , the MAP engine 216 , the TTS server 230 and the ASR server 231 are shown coupled through a local area network (LAN) connection 214 to the VLAN 204 of Location 2 and the server 217 and engine 216 are further shown coupled, through the connection 214 , to the environment 50 .
  • LAN local area network
  • the environment 44 is shown to include a security/authentication server 119 , a directory (LDAP) 120 and a presence server 121 , which are each coupled, through the connection 114 and the LAN 125 , to the environment 42 .
  • the environment 50 is shown to include a Customer Relationship Management (CRM) 122 , a Business Process Management and Automation (BPMA) 123 and a groupware 124 , which are each shown coupled through the connection 214 and the LAN 225 , to the environment 48 .
  • CRM Customer Relationship Management
  • BPMA Business Process Management and Automation
  • each of the Locations 1 and 2 are referred to as communication components and each communication component shown at the Location 1 has its matching counterpart at the Location 2 and some of the attributes are as follows:
  • the SPAR devices can be of different types, including but not limited to, biometric readers ( 106 , 206 ), smart cards, magnetic cards or RFID readers ( 107 , 207 ), or to compound devices that may include any combination of Smart Card, Magnetic Card, RFID and Biometric readers in a single unit ( 108 , 208 , 109 , 209 ). Accordingly, the SPAR devices can support either separate types of authentication, or if combined in a unit, can perform several types of authentication separately or in combination (as an example of such combination, a biometric reader can be combined with a RFID and/or a smart card reader).
  • the SPAR devices such as the device 108 , 106 , 109 or 107 in FIG. 2 , are coupled to the enterprise LAN 125 via standard network connection (or the connection 114 , an example of which is the RJ-45) (either directly or through the network switch built into the IP phone).
  • each authentication device such as each SPAR device
  • each SPAR device is associated with one or more IP telephones
  • the logical associations between the SPAR device and the one or more IP telephones is generally stored in an appropriate software-based persistent storage repository (e.g., relational database, such as the RDBMS 118 ).
  • SPAR devices may reside on the same physical chassis with IP phones or alternatively, they can be physically separated from their associated telephones; any such combination of a SPAR device and IP phone is referred to as “Secure Profile Management Point” (SPM Point) shown on the FIG. 2 as 110 - 113 and 210 - 213 .
  • SPM Point Secure Profile Management Point
  • an authentication session begins when a user swipes (through the use of a magnetic card or RFID card) or enters authentication information (a password) using any of the SPAR devices of, for example, the SPM points 112 , 110 , 113 or 111 .
  • the authentication information is then captured and stored in the engine 116 , through the VLAN 104 and the gateway 101 and is sent to the authentication server 119 for identification of the user.
  • additional information regarding the user is provided by the Directory Server 120 to the MAP Engine 116 . Additional information of the user includes but is not limited to personal and corporate profiles of the user, user permissions within the system.
  • the server 121 provides the present status of the user, such as whether or not the user is available and/or active and the like.
  • the media server 117 is used to broadcast information, such as audio streams, to the user.
  • the server 130 is used to convert text to audio file.
  • the server 131 is used for speech recognition and the RDBMS 118 is a relational database system for storing of various types of information.
  • the environment 42 is essentially duplicated or its backup preserved by the environment 48 . This redundancy is generally required for mission-critical applications.
  • a user profile Assuming a user profile has been created, upon an attempt by the user to access the IP phone, authentication of the user is performed and upon positive authentication of the user, the user profile is retrieved for storage and a telephony configuration of the communication terminal is built according to the stored user profile.
  • the Customer Relationship Management (CRM) 122 , Business Process Management and Automation (BPMA) 123 and groupware 124 of the environment 50 each include various business applications.
  • the PSTN phones 128 can be a landline or a mobile phone or any other conventional type of PSTN telephone.
  • the processing of a phone call assuming the call is originated from the IP phone 104 , it is transmitted through the gateway 101 to the gateway 102 to the PSTN cloud 127 where the telephone company transfers it to the appropriate PSTN phone and vice versa if the call is originated from the PSTN phone 128 .
  • the present invention is not limited to a multi-location architecture shown in FIG. 2 , but may be applied as well to other arrangements of elements where VoIP-capable communication end points, or communication terminals, (whether in combination with SPAR devices or not) are used to handle multi-modal user interaction sessions including but not limited to internal, external incoming and external outgoing telephone calls, multi-modal broadcasts of data, voice and video streams, presence management and monitoring, etc.
  • a processor executing an instance of Multi-modal Application Platform application server 116 (or 216 ), generally referred to as a MAP Engine.
  • the MAP Engine 116 ( 216 ) has several purposes associated with processing user authentication information that comes from any of the SPAR devices on the network. For example, the MAP Engine 116 , by communicating with any registered SPAR device, has the capability of:
  • the MAP Engine 116 has the capability of:
  • MAP Engine 116 maintains a peer-to-peer TCP/IP connection to an instance of application known by the inventor as Multi-Modal Media Server 117 ( 217 ) (hereafter termed “Media Server”).
  • Media Server according to the control requests of the corresponding MAP Engine performs the actual delivery of combined voice, data and video streams to the VoIP phones of supported types and configurations according to the actual capabilities of the participating VoIP phones.
  • the Media Server also performs a function of collecting users' input to the data forms supplied to the screen-enabled VoIP phones and passing this data to the MAP Engine, for the latter could process it and generate the subsequent control instructions based on the results of such processing and on relevant static and dynamic configuration data and business rules.
  • Media Server 118 may be implemented.
  • Media Server may be executed on the same hardware processor that executes the MAP Engine; alternatively it may run on a separate hardware processor independently or as an add-on component of a standard Web application server like Tomcat.
  • the MAP Engine 116 and the Media Server 117 interact with an instance of an industry-standard relational database (RDBMS) 118 ( 218 ) that is used as storage for various data elements to which the MAP Engine 116 ( 216 ) and Media Server 117 ( 217 ) have read-write access; these data elements include (but are not limited to) system configuration information, real-time status, scheduling and historical data that is used to generate various business rules and interaction scenarios executed by the MAP Engine 116 ( 216 ) and the Media Server 117 ( 217 ), as well as for generation of various historical business reports related to the functions performed by the described system.
  • RDBMS industry-standard relational database
  • the same instances of MAP Engine and Media Server can simultaneously communicate with gateways of different vendors, seamlessly delivering the same functionality to IP phones and automatically adjusting presentation and flow logic to the vendor-specific capabilities of the corresponding IP phone.
  • MAP Engine 116 and the Media Server 117 use well-known industry-standard protocols and technologies for data encryption and secure communications when communicating between themselves, with SPAR devices and any other 3 rd party components that require and support the data encryption and secure communications. These protocols and technologies include but are not limited to:
  • the system 40 may include one or several hardware processors executing some or all of the following industry-standard 3 rd party software components:
  • the system 40 allows for a multi-level secure access of communication terminals, such as the IP telephone 12 of FIGS. 1 ( a )-( d ).
  • communication terminals such as the IP telephone 12 of FIGS. 1 ( a )-( d ).
  • there are three levels of security a physical authentication, a logical authentication and a biometric authentication. Both logical and physical authentications are performed by coordinated actions of MAP Engine ( 116 ) and Security and Authentication Server ( 119 ); no authentication is performed by the IP Phone; SPAR device associated with (attached to) the phone is used for capturing related authentication tokens and passing them securely to the MAP Engine ( 116 ), which in turn processed all captured authentication tokens and passes them to the Security and Authentication server ( 119 ).
  • FIG. 3 is a high-level sequence diagram depicting the flow of the session with secure profile management activity of FIG. 2 . That is, vertically, time is represented going down the page and events and requests are represented horizontally on the page.
  • the flow starts with User Authentication Request sent by a SPAR device, such as any of the SPAR devices of FIG. 2 , to the MAP Engine 116 of FIG. 2 . Having received such request, the MAP Engine, based on the information sent by the SPAR device and on other relevant configuration data, dynamically identifies the type of session and initiates it.
  • a sample session flow may be as follows:
  • FIG. 4 shows a system 402 including the system 40 but with another configuration in accordance with an alternate embodiment of the present invention.
  • the SPM points or SSP terminals such as the combination of an IP phone 105 and a SPAR device 108 , are shown located remotely and connected, through a Wide Area Network (WAN)/Internet cloud 400 , to the system 40 or outside of the enterprise located, for example, in a store.
  • WAN Wide Area Network
  • FIG. 4 is a high-level overview of distributed heterogeneous convergent communication infrastructure enhanced with the hardware and software that covers multi-location enterprise (which acts as a business service provider), and includes remote Secure Service Points that are installed outside of the enterprise boundaries in various publicly accessed locations (including but not limited to retail stores, bank branches, hotel lobbies and guest rooms, airport terminals and lounges, public phone booths, etc.) with the goal to deliver various business services to the users using multi-modal interactive sessions according to the business logic controlled in real time from a secure centralized enterprise environment.
  • multi-location enterprise which acts as a business service provider
  • remote Secure Service Points that are installed outside of the enterprise boundaries in various publicly accessed locations (including but not limited to retail stores, bank branches, hotel lobbies and guest rooms, airport terminals and lounges, public phone booths, etc.) with the goal to deliver various business services to the users using multi-modal interactive sessions according to the business logic controlled in real time from a secure centralized enterprise environment.
  • Each “business service provider” enterprise location includes the following key components of the enterprise convergent communication network (each communication component shown at the location 1 has its matching counterpart at the location 2 ; the numbering for the Location 1 component start with digit 1 , the numbers of the corresponding components at Location 2 start with the digit 2 ):
  • the present invention assumes a heterogeneous distributed convergent network that contains both LAN/WAN segments ( 126 ) and WAN/Internet segments ( 129 ); it also contains multiple remote Secure Service Point terminals ( 110 - 113 ) connected to the WAN/Internet 129 via standard Ethernet connections 114 .
  • Each remote SSP terminal ( 110 - 113 ) contains IP Phone 105 and associated SPAR apparatus (individual or combined, as shown on 106 - 109 ) described earlier in this embodiment.
  • Each remote SSP terminal ( 110 - 1113 ) can perform authentication procedure, the flow of which is controlled by customizable and configurable authentication sequence session that describes which authentication tokens and in which order the user should be challenged with.
  • the involved SSP terminal can encrypt one or several captured authentication tokens at a time and send them securely to the controlling MAP Engine 116 ( 216 ), which based on the authentication sequence session would validate the captured authentication tokens perform one of the following three actions:
  • the controlling MAP Engine 116 retrieves the authenticated user's profile, determines the type of business service requested by the user (based on the user's permissions and associated business rules and policies), retrieves session scenario description from a permanent storage (RDBMS or file system) and starts multi-modal interactive session acting as an intermediary between the user and back-end enterprise CRM/ERM system that actually controls the requested business service and performs all related business transactions.
  • RDBMS permanent storage
  • the said multi-modal session may consist of any combination of audio (in a form of prepared or TTS-generated audio files), video and data (in a form of text and/or images) streams generated according to the session scenario and sent upstream to the participating SSP Terminal ( 110 - 113 ); it would interact with the user by accepting input in multiple formats including (but not limited to) natural speech (processed by an ASR system), DTMF input, data input (using data forms pushed to the IP Phone 105 of the participating SSP Terminal) or token input (using the SPAR device 106 - 109 of the participating SSP Terminal 110 - 113 ).
  • the controlling MAP Engine (either based on the user request or on the session scenario) can:
  • the controlling MAP Engine (per the former CSR's request) using 3 rd party call control and media control functions performs transfer of the session (call, associated data and video stream) to the IP Phone and computer of new designated CSR.
  • the controlling MAP Engine (per the former CSR's request) using 3 rd party call control and media control functions performs conference thereby adding IP Phone and computer of the latter CSR to the session so that all session streams (call, associated data and video stream) become available to this new CSR.
  • FIG. 5 is a high-level sequence diagram depicting the flow of the session using Secure Service Point and Multi-Modal Application Platform environment of FIG. 4 .
  • the flow starts with User Authentication Request sent by a SSP terminal to the MAP Engine. Having received such request MAP Engine, based on the information sent by the SSP terminal and on other relevant configuration data dynamically identifies correct type of session and initiates it.
  • a sample session flow may look as follows:
  • MAP Engine notifies the CRM/ERM agent about service completion, completes the session, frees up all related resources and performs other related required actions.
  • FIG. 6 is a high-level overview of distributed heterogeneous convergent communication system 600 enhanced with the hardware and software for Secure Service Access Point operations, provisioning, management and controlled access to the enterprise communication and business services over convergent network according to another embodiment of the present invention.
  • the system 600 includes the system 400 and covers multi-location enterprise (which can act as a business service provider), and includes remote Secure Service Access Points that are installed outside of the enterprise boundaries in various publicly accessed locations (including but not limited to retail stores, bank branches, hotel lobbies and guest rooms, airport terminals and lounges, public phone booths, etc.) with the goal to deliver various business services to the users using multi-modal interactive sessions according to the business logic controlled in real time from a secure centralized enterprise environment.
  • multi-location enterprise which can act as a business service provider
  • remote Secure Service Access Points that are installed outside of the enterprise boundaries in various publicly accessed locations (including but not limited to retail stores, bank branches, hotel lobbies and guest rooms, airport terminals and lounges, public phone booths,
  • FIG. 7 is a high-level sequence diagram depicting the flow of the multi-level centralized authentication session using Secure Service Access Point and Multi-Modal Application Platform environment of the system 600 .
  • Each “business service provider” enterprise location is shown as a dashed rectangle and contains the following key components of the enterprise convergent communication network (each communication component shown at the location 1 has its matching counterpart at the location 2 ; the numbering for the Location 1 component start with digit 1 , the numbers of the corresponding components at Location 2 start with the digit 2 ):
  • the present invention assumes a heterogeneous distributed convergent network that contains both LAN/WAN segments ( 126 ), wireless access points ( 125 , 225 ) and WAN/Internet segments ( 129 ), and also includes:
  • An SSAP apparatus may contain one or more SPAR devices which can be of different types, including but not limited to biometric readers, smart card or magnetic card or RFID readers, or can be combined into compound devices that may include any combination of Smart Card, Magnetic Card, RFID and Biometric readers in a single unit ( 103 ). Accordingly an SSAP apparatus can support either separate types of authentication, or can perform several types of authentication alternatively or in combination.
  • An SSAP apparatus is connected to the enterprise LAN either directly or through a standard dedicated Ethernet switch.
  • each SPAR device would be associated with one or several IP phones and/or with one or several desktop or laptop computers; such logical associations would be stored in an appropriate software-based persistent storage repository (e.g., relational database), so that an SSAP apparatus can contain more than one associated SPAR device, more than one associated IP phones and can be associated with one or several desktop/laptop computers.
  • an appropriate software-based persistent storage repository e.g., relational database
  • the SPAR devices associated with VoIP phones may reside on the same physical chassis with VoIP phones, or can be physically separated from their associated phones; any such logical combination of one or more SPAR devices with one or more IP phones is hereafter termed “Secure Service Access Point” (SSAP) shown on the FIG. 2 as 110 - 113 and 210 - 213 .
  • SSLAP Secure Service Access Point
  • the present invention is not limited to a multi-location architecture shown in FIG. 6 , but may be applied as well to other arrangements of elements where VoIP-capable communication end points (whether included in SSAP apparatuses or not) are used to handle multi-modal user interaction sessions including but not limited to internal, external incoming and external outgoing telephone calls, multi-modal broadcasts of data, voice and video streams, presence management and monitoring, etc.
  • MAP Engine Also connected to the local area networks 104 ( 204 ) and 114 ( 214 ) is a processor executing an instance of Multi-modal Application Platform application server 116 ( 216 ), known by the inventors as MAP Engine.
  • the MAP Engine 116 ( 216 ) has several purposes associated with processing user authentication information that comes from any SSAP apparatus on the network. For example, the said MAP Engine by communicating bi-directionally with any registered SSAP apparatus has the capability:
  • MAP Engine 116 maintains a peer-to-peer TCP/IP connection to an instance of application known by the inventor as Multi-Modal Media Server 117 ( 217 ) (hereafter termed “Media Server”).
  • Media Server according to the control requests of the corresponding MAP Engine performs the actual delivery of combined voice, data and video streams to the VoIP phones of supported types and configurations according to the actual capabilities of the participating VoIP phones.
  • the Media Server also performs a function of collecting users' input to the data forms supplied to the screen-enabled VoIP phones and passing this data to the MAP Engine, for the latter could process it to generate the subsequent control instructions based on the results of such processing and on relevant static and dynamic configuration data and business rules.
  • Media Server 117 may be implemented.
  • Media Server may be executed on the same hardware processor that executes the MAP Engine; alternatively it may run on a separate hardware processor independently or as an add-on component of a standard Web application server like Tomcat.
  • MAP Engine and Media Server via TCP/IP-based network connection interact with an instance of an industry-standard relational database (RDBMS) 118 ( 218 ) that is used as a persistent storage for various data elements to which the MAP Engine 116 ( 216 ) and Media Server 117 ( 217 ) have read-write access; these data elements include (but are not limited to) system configuration information, real-time status, scheduling and historical data that is used to generate various business rules and interaction scenarios executed by the MAP Engine 116 ( 216 ) and the Media Server 117 ( 217 ), as well as for generation of various historical business reports related to the functions performed by the described system.
  • RDBMS industry-standard relational database
  • the same instances of MAP Engine and Media Server can simultaneously communicate with IP PBXs of different vendors, seamlessly delivering the same functionality to associated SSAP apparatuses and automatically adjusting presentation and flow logic to the vendor-specific capabilities of the corresponding SSAP apparatus.
  • MAP Engine and Media Server use well-known industry-standard protocols and technologies for data encryption and secure communications when communicating between themselves, with SPAR devices and any other 3 rd party components that require and support the data encryption and secure communications.
  • protocols and technologies include but are not limited to:
  • system may contain one or several hardware processors running some or all of the following industry-standard 3 rd party software components:
  • Each remote SSAP terminal ( 110 - 113 ) can perform authentication procedure, the flow of which is controlled by customizable and configurable authentication sequence session that describes which authentication tokens and in which order the user should be challenged with.
  • the involved SSAP terminal can encrypt one or several captured authentication tokens at a time and send them securely to the controlling MAP Engine 116 ( 216 ), which based on the authentication sequence session would validate the captured authentication tokens perform one of the following three actions:
  • the controlling MAP Engine 116 retrieves the authenticated user's profile, determines the type of business service requested by the user (based on the user's permissions and associated business rules and policies), retrieves session scenario description from a permanent storage (RDBMS or file system) and starts multi-modal interactive session according to the said session scenario description.
  • RDBMS permanent storage
  • FIG. 7 is a high-level sequence diagram depicting the flow of the multi-level centralized authentication session using Secure Service Access Point and Multi-Modal Application Platform environment of the system 600 of FIG. 6 .
  • the flow starts with User Authentication Token 1 sent by a SSAP terminal to the MAP Engine. Having received such request MAP Engine, based on the information sent by the SSAP terminal and on other relevant configuration data dynamically identifies correct type of session and initiates it.
  • a sample session flow may look as follows:

Abstract

A method and apparatus, in accordance with an embodiment of the present invention, is presented for securely accessing a voice-enabled communication terminal using Internet Protocol by performing physical authentication, performing biometric authentication, performing logical authentication, performing confirmation of a user and upon successful confirmation of the user, allowing access to the communication terminal.

Description

    REFERENCE TO PRIOR APPLICATIONS
  • This application claims the benefit of a previously filed U.S. Provisional Patent Application No. 60/727,089 filed on Oct. 13, 2005, and entitled “Method and System for Multi-Level Secure Personal Profile Management and Access Control to the Enterprise Multi-Modal Communication Environment in Heterogeneous” and further claims the benefit of a previously filed U.S. Provisional Patent Application No. 60/755,734 filed on Dec. 29, 2005, and entitled “Method and Apparatus for Adaptive Management of Multi-Modal Secure Service Point in Heterogeneous Converged Communication Networks” and further claims the benefit of a previously filed U.S. Provisional Patent Application No. 60/755,472 filed on Dec. 29, 2005, and entitled “Method and System for Secure Centralized Multi-Modal User Authentication Over Heterogeneous Convergent Communication Networks”.
    • BACKGROUND OF THE INVENTION
  • 1. Field of the Invention
  • The present invention relates generally to the field of voice-over-Internet-Protocol (VoIP) and particularly to IP telephones, capably processing, receiving and transferring voice, data and/or video streams, and being secure and controlled for secure profile management and convergent communications.
  • 2. Description of the Prior Art
  • With the advent of the Internet and particularly its popularity within the recent decade, information, in its multitude of forms, is commonly transferred in various forms using the Internet. This method of communication offers users a cost-effective, flexible and oftentimes convenient approach to information transfer. What is of particular interest is the use of telephones or voice-enabled communication terminals throughout the Internet for transfer of voice, data and/or video streams. In fact, many communication terminals may be placed at various remote locations relative to each other throughout the Internet cloud thereby allowing users to communicate to one another through the Internet.
  • The use of IP telephones—telephones using Internet Protocol (IP) to communicate over the Internet, any local area network or any other IP network—currently offers less security than that of conventional telephones in the Public Switching Telephone Network. Security, remote access and controllability of communications terminals within the Internet are therefore highly desirable.
  • The need therefore arises for secure access and optionally remote control to voice-enabled communications terminals, such as IP phones, which are remotely located to one another allowing multiple users to communicate using VoIP using multi-level security to avoid unauthorized access to the functions of the communications terminal.
    • SUMMARY OF THE INVENTION
  • Briefly, an embodiment and method of the present invention includes securely accessing a voice-enabled communication terminal using Internet Protocol by performing physical authentication, performing logical authentication, performing biometric authentication and performing authentication of a user and upon successful confirmation of the user, allowing access to the communication terminal.
  • The foregoing and other objects, features and advantages of the present invention will be apparent from the following detailed description of the preferred embodiments which make reference to several figures of the drawing.
    • IN THE DRAWINGS
  • FIGS. 1(a)-(d) show different configurations of a secure service point (SSP) system 10 having multi-location enterprise heterogeneous convergent communication infrastructure enhanced with the hardware and software for secure personal profile management and access control to the enterprise communication and business services over convergent network according to the embodiment of the present invention.
  • FIG. 2 shows a multi-modal service-point convergent communication system 40 in accordance with an application of the system 10 of FIGS. 1(a)-(d).
  • FIG. 3 depicts an example of a sample interaction flow chart of a session with a secure profile management.
  • FIG. 4 shows a system 402 including the system 40 but with another configuration in accordance with an alternate embodiment of the present invention.
  • FIG. 5 is a high-level sequence diagram depicting the flow of the session using Secure Service Point and Multi-Modal Application Platform environment of FIG. 4.
  • FIG. 6 is a simplified overview of distributed heterogeneous convergent communication infrastructure enhanced with the hardware and software for Secure Service Access Point operations, provisioning, management and controlled access to the enterprise communication and business services over convergent network according to the embodiment of the present invention.
  • FIG. 7 is a high-level sequence diagram depicting the flow of the multi-level centralized authentication session using Secure Service Access Point and Multi-Modal Application Platform environment of the system 600.
    • DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
  • Referring now to FIGS. 1(a)-(d), a secure service point (SSP) system 10 is shown with different configurations represented in each of the foregoing figures, in accordance with various embodiments of the present invention. In FIG. 1(a), the SSP system 10 is shown to include an IP telephone 12, a secure personal authentication reader (SPAR) device 14, a network switch 16 and an IP network line 18, in accordance with an embodiment of the present invention. The IP telephone 12 is merely an example of a voice-enabled communication terminal; accordingly, any voice-enabled network device capable of being controlled remotely may be used in place thereof. The terms “IP telephone” and “VoIP telephone” are used interchangeably herein.
  • The SPAR device 14 in each of the FIGS. 1 (a)-(d) includes one or more readers with each reader generally being of a different type. In the figures, the SPAR device 14 is shown to include a number of readers, which are each readers 20-26. It should be noted that the SPAR device 14, while shown in the figures to include four readers, may include any number of readers. Furthermore, each of the readers 20-26 may be of a different type, such a smart card reader, a biometric reader, a magnetic card or RFID, or of similar type. Examples of a reader are card readers, smart card readers, biometric reader or Radio Frequency Identification (RFID). The choice of which combination of readers to use is one of design. Nonetheless, these readers are utilized for confirmation of the identity of a user in various ways, such as a fingerprint if the biometric reader is employed, which will be discussed further in relation to levels of security shortly.
  • Moreover the SPAR device 14 may include any combination of 3rd party magnetic card reader, smart card reader, RFID reader, any type of biometric information reader (fingerprint, palm print, iris/retina reader) and any type of keyboard input device, and is capable of reading, capturing and securely transmitting the captured authentication information to an IP network using either wired or wireless connection, as will become further evident shortly.
  • The readers 20-26 can be coupled to the network line 18 individually and independently, directly or using the switch 16. Moreover, they can be combined into one enclosure and coupled directly to the network line 18, as shown in FIGS. 1(a) and 1(c) or coupled through a built-in Ethernet port 30 on the telephone 12, as shown in FIG. 1(b) or couple to a built-in RS-232 port 32 on the telephone 12, as shown in FIG. 1(d).
  • In FIG. 1(a), the telephone 12 and the SPAR device 14 are shown coupled to the switch 16, which is, in turn, shown coupled to the network line 18. The device 14 is generally affixed or in some manner connected to the telephone 12 at a location, for example, to the side or top or bottom of the telephone. An example location of the device 14 is at 34.
  • The SPAR device 14 can be associated with a wired or wireless IP telephone, such as the IP telephone 12, either by connection to the IP telephone through a dedicated RS-232 port on the phone, by connection to the IP network through a network switch on the IP phone, or by connection to the IP network through a physical connection separate from the IP telephone so that the user can use the keypad on the IP telephone as a keyboard input device and can use the IP telephone as a multi-modal communication device during an authentication procedure. The combination of the IP telephone and the SPAR device 14 is, at times, referred to as “Secure Service Access Point” (SSAP).
  • In the case where the readers of the device 14 are individually coupled through the switch 16, to the network line 18, such as shown in FIG. 1(a), different types of readers are clearly available for identification, whereas, in the case where one or fewer than the number of readers available are coupled through the switch 16 to the network line 18, clearly fewer readers are available for identifying a user. In FIG. 1(d), the connection of the device 14 to the network line 18 is through the telephone 12 and no switch is employed.
  • In FIG. 1(d), a connection 36 couples the device 14 to the telephone 12 and in one embodiment of the present invention, the connection 36 is a serial connection, such as RS-232. In FIG. 1(b), a connection 38 couples the device 14 to the telephone 12 and in one embodiment of the present invention, it is a IP or network connection.
  • Some of the capabilities and/or functions of the system 10, while not limited to the same, are enumerated as follows:
    • 1. Ability to automatically discover and/or to remotely provision third-party SPAR devices including (but not limited to) various device configuration parameters, relevant physical and logical associations (for example, association with an IP Phone), supported industry-standard security and connectivity parameters, real-time device status, etc.
    • 2. Ability to collect (by way of using various third party readers comprising the SPAR device 14) all or any combination of the following three pieces of authentication data: biometric authentication token (using fingerprint, palm-print or iris/retina reader), user-possessed physical token (using any third party smart cards, magnetic cards or RFID token and the corresponding reader), and logical authentication token (using any third party keyboard input device including but not limited to dial pad of the associated IP Phone)
    • 3. Ability (by use of the aforementioned SPAR device embedded firmware) to encrypt all or any portion of the captured authentication data using industry-standard encryption mechanisms, technologies and schemas, and to pass the captured and encrypted authentication data over a secure convergent network using any of industry-standard secure and reliable network protocols (e.g., HTTPS, SSL, etc.) to a centralized software component that would decrypt the said authentication data and perform all required further processing of it (including but not limited to passing identified authentication tokens to a known dedicated third party authentication/verification software authorities according to a configurable authentication sequence, processing the results of each token verification in real time and retrieval of the authenticated user's profile and associated permissions), thereby reducing or altogether eliminating any authentication operations performed by the device firmware and allowing for improved reliability, performance and efficiency of such authentication
    • 4. Ability to maintain integrity of business data and transactions related to personal/group profiles, credentials, roles, permissions, authentication (included but not limited to passwords, biometric patterns, users' profiles and various related personalized content) in a secure and protected way, allowing for only authorized parties (whether automated third party software components or human beings) to retrieve this information
    • 5. Ability to support enhanced security and access control based on the pre-defined limits of secure session duration, ensuring that any user would be automatically logged out after certain idle time
    • 6. Ability to automatically enable a communication terminal associated with the authentication terminal with user's communication profile
    • 7. Ability to support geographically distributed groups of users that can consist of “mix-and-match” of individual users, groups of users (communities) created according to some business rules, various locations (campuses, buildings, arbitrarily selected parts of buildings such as floors, wings, rooms, halls, common areas, etc.) and to dynamically resolve the user's credentials depending on their geographical locations or associations with the users or both (e.g. user A when in Location B has roles and permissions C, but when user A is in location D (s)he has roles and permissions E)
    • 8. Ability to act as an industry-standard Presence Agent that is capable of aggregating information related to user presence and publish it to any industry-standard 3rd party Presence Server based on the authenticated profile, business rules, policies and permissions, and location of the originating SSAP device
    • 9. Ability to integrate and collaborate with various required third party enterprise business services using industry-standard protocols, either as an authorized software component or on behalf of the authenticated user (based on the user's credentials, profile and appropriate business rules, policies and permissions), including but no limited to publishing aggregated information related to the user's real-time presence status and location
    • 10. Ability to act as a multi-modal interactive front-end view and controller to a third party Customer Relationship Management (CRM) system and/or Employee Relationship Management (ERM) system, including (but not limited to) ability to dynamically determine (based on the authenticated user's permissions and related business rules and policies) the type of requested CRM/ERM service, and ability to execute automated multi-modal interaction session with the user (according to the said CRM/ERM service scenario) using SSP as a communication terminal that according to its capabilities supports various modes of interactions with the user, including (but not limited to) reading of the aforementioned physical tokens, data input using IP telephone screen, speech input using third party Automated Speech Recognition (ASR) system, DTMF input, Text-To-Speech (TTS) conversions, etc.
    • 11. Ability (by use of industry-standard third party call control and media control functions supported by related IP Telephony equipment) either automatically or per user request to initiate a phone call to a designated 3rd party (human being or automated system) at any moment during said automated multi-modal session; ability to associate all session-related data collected up to this moment with the said phone call and deliver it to the said third party; ability to transfer the said multi-modal session (including but not limited to call, audio stream, session state and associated data) from one party to another party; ability to conference any number of parties to the said multi-modal session with simultaneous and synchronized delivery of all session data components and streams
    • 12. Ability to deliver all aforementioned functions in a distributed enterprise environment, in a hosted multi-tenant environment and in a service provider environment supporting the corresponding industry-standard requirements for high availability, fault tolerance, redundancy, scalability and load balancing
  • FIG. 2 shows a multi-modal service-point convergent communication system 40 in accordance with an application of the system 10 of FIGS. 1(a)-(d). The system 40 is generally utilized for secure personal profile management and access control to the enterprise communication and business services over a convergent network, in accordance with an embodiment of the present invention.
  • The system 40 is shown to include a location 1 intended to refer to a location in which the structures (or similar structures) included therein are present, a primary MAP environment 42, a LAN 125 and a third party user management and access control environment 44 and counterparts thereto shown on the left side of the figure, as location 2, which is a counterpart to location 1, a backup MAP environment 48, which is a counterpart to the primary MAP environment 42 and a third party enterprise business services environment 50, in accordance with an embodiment of the present invention.
  • Location 1 is an exemplary embodiment, shown to include an IP PBX and IP media gateway 101 combined with IP/PSTN gateway 102 (at times referred to as a “softswitch”) which provides the functionality of a traditional telephone PBX in a modular, open and distributed fashion, including comprehensive call control operations (call setup, teardown, transfer, conference, etc.) and voice traffic/media control and management (establishing audio streams between participating communication end points, mixing the said streams in case of call conference, redirecting the said streams in case of call transfer, etc.) and is coupled through a voice LAN (VLAN) 104 to four Secure Profile Management Point (SPM) points 112, 110, 113 and 111. While four SPM points are shown in FIG. 2, any number thereof may be employed without departing from the scope and spirit of the present invention.
  • In each SPM point, there is shown an IP telephone and a SPAR device. For example, the SPM point 112 includes an IP telephone 105 and a SPAR device 108 and the SPM point 110 includes an IP telephone 105 and a SPAR device 106 and the SPM point 113 includes an IP telephone 105 and a SPAR device 115 and the SPM point 111 includes an IP telephone 105 and a SPAR device 107. The IP telephones and SPAR devices of each of the SPM points 112, 110, 113 and 111 resemble that of the IP telephone 12 and the SPAR devices 14 of FIGS. 1(a)-(d) with the SPAR devices of each of the SPM points having a unique configuration among the various available configurations thereof, as discussed with reference to FIGS. 1 (a)-(d). For example, in FIG. 2, the device 108 of the SPM point 112 includes a smart card reader, card reader, an RFID and a biometric reader whereas the device 106 only includes a biometric reader and so on.
  • An example of a component in the environments 44 and 50 is, for example Microsoft Office Active Directory by Microsoft, Inc. of Seattle, Wash. as the LDAP 120. Basically, they offer business functionality.
  • The VLAN 104 is shown further coupled to the SPM points 112, 110, 113 and 111 and couples these SPM points to the IP PBX and media gateway 101, which is, in turn, coupled, through the VLAN 104 to the IP/PSTN gateway 102. The gateway 102 is coupled, through a ISDN PRI trunk 103, to the PSTN cloud 127, thereby PSTN phones 128 to communicate with the IP telephone of any of the SPM points using VoIP, which is less costly and allows further flexibility and options, as will become evident shortly. The VLAN 104 is further employed to couple the gateways 101 and 102 to the LAN/Wide Area Network (WAN) 126.
  • Location 2 includes similar structures as that shown and discussed relative to Location 1, such as the IP/PSTN gateway 202, which is similar to the gateway 102 of Location 1, an IP PBX and media gateway 201, similar to the gateway 101 of Location 1, the combination of the gateway 201 and the gateway 202 functions substantially as a softswitch. The SPM points 210, 212, 211 and 213 are similar to that shown and discussed of the SPM points 112, 110, 113 and 111 of Location 1. VLAN 204 couples the gateway 201 and the SPM points 210, 212, 211 and 213 in the same manner as discussed relative to the Location 1 and the gateway 202 and the gateway 201 are coupled through the VLAN 204 to the PSTN cloud 127 and to the LAN/WAN cloud 126. The VLAN 204 is further employed to couple the gateways 201 and 202 to the LAN/WAN 126. The LAN 125 couples the environment 44 to the environment 42 and further couples the environment 50 to the environment 48.
  • The environment 42 is shown to include a Text-To-Speech (TTS) server 130, an Automatic Speech Recognition (ASR) server 131, a media server 117, a MAP engine 116 and a RDBMS 118. The servers 130 and 131 are shown to be coupled to the VLAN 104 through a local area network connection 114, as are the server 117, the engine 116 and the RDBMS 118, which are shown further coupled, through the connection 114, to the LAN 125.
  • The environment 48 is shown to include counterpart components to that of the components of the environment 42 because the environment 48 essentially serves as a backup environment to the environment 42 in the event a problem arises and any of the components of the environment 42 become inoperable. Accordingly, the coupling of the servers and/or engines of the environment 48 are the same as that of the environment. For example, the media server 217, the MAP engine 216, the TTS server 230 and the ASR server 231 are shown coupled through a local area network (LAN) connection 214 to the VLAN 204 of Location 2 and the server 217 and engine 216 are further shown coupled, through the connection 214, to the environment 50.
  • The environment 44 is shown to include a security/authentication server 119, a directory (LDAP) 120 and a presence server 121, which are each coupled, through the connection 114 and the LAN 125, to the environment 42. The environment 50 is shown to include a Customer Relationship Management (CRM) 122, a Business Process Management and Automation (BPMA) 123 and a groupware 124, which are each shown coupled through the connection 214 and the LAN 225, to the environment 48.
  • The structures or components with each of the Locations 1 and 2 are referred to as communication components and each communication component shown at the Location 1 has its matching counterpart at the Location 2 and some of the attributes are as follows:
      • IP PBX combined with IP Media Gateway 101 (201) and connected to a dedicated Voice LAN 104 (204)
      • Voice-over-IP telephones of various types 105 (205) connected to the corresponding Voice LAN 104 (204)
      • IP/PSTN Gateway 102 (202) connected to the Public Switching Telephone Network (PSTN) 127 via ISDN PRI trunks 103 (203) to support connectivity between the IP PBX 101 (201) and various (wireless and wired) PSTN phones 128.
      • Multi-modal VoIP phones (105, 205) that are capable of handling either combination of voice, data and video streams (the actual capabilities of these end points determine the multi-modal streams that would be delivered);
      • Authentication devices (SPAR devices) that perform, among other procedures, the following authentication procedures: biometric authentication (fingerprint, palm-print or iris-reader), physical token authentication (magnetic card reader, smart card reader, RFID reader).
  • As earlier noted, the SPAR devices can be of different types, including but not limited to, biometric readers (106, 206), smart cards, magnetic cards or RFID readers (107, 207), or to compound devices that may include any combination of Smart Card, Magnetic Card, RFID and Biometric readers in a single unit (108, 208, 109, 209). Accordingly, the SPAR devices can support either separate types of authentication, or if combined in a unit, can perform several types of authentication separately or in combination (as an example of such combination, a biometric reader can be combined with a RFID and/or a smart card reader). The SPAR devices, such as the device 108, 106, 109 or 107 in FIG. 2, are coupled to the enterprise LAN 125 via standard network connection (or the connection 114, an example of which is the RJ-45) (either directly or through the network switch built into the IP phone).
  • Typically, each authentication device, such as each SPAR device, is associated with one or more IP telephones, and the logical associations between the SPAR device and the one or more IP telephones is generally stored in an appropriate software-based persistent storage repository (e.g., relational database, such as the RDBMS 118).
  • These SPAR devices may reside on the same physical chassis with IP phones or alternatively, they can be physically separated from their associated telephones; any such combination of a SPAR device and IP phone is referred to as “Secure Profile Management Point” (SPM Point) shown on the FIG. 2 as 110-113 and 210-213.
  • In operation, an authentication session begins when a user swipes (through the use of a magnetic card or RFID card) or enters authentication information (a password) using any of the SPAR devices of, for example, the SPM points 112, 110, 113 or 111. The authentication information is then captured and stored in the engine 116, through the VLAN 104 and the gateway 101 and is sent to the authentication server 119 for identification of the user. Once the user is identified, additional information regarding the user is provided by the Directory Server 120 to the MAP Engine 116. Additional information of the user includes but is not limited to personal and corporate profiles of the user, user permissions within the system. The server 121 provides the present status of the user, such as whether or not the user is available and/or active and the like.
  • The media server 117 is used to broadcast information, such as audio streams, to the user. The server 130 is used to convert text to audio file. The server 131 is used for speech recognition and the RDBMS 118 is a relational database system for storing of various types of information.
  • As previously alluded thereto, due to the mission-critical characteristic of the system 40, the environment 42 is essentially duplicated or its backup preserved by the environment 48. This redundancy is generally required for mission-critical applications.
  • Assuming a user profile has been created, upon an attempt by the user to access the IP phone, authentication of the user is performed and upon positive authentication of the user, the user profile is retrieved for storage and a telephony configuration of the communication terminal is built according to the stored user profile.
  • The Customer Relationship Management (CRM) 122, Business Process Management and Automation (BPMA) 123 and groupware 124 of the environment 50 each include various business applications. The PSTN phones 128 can be a landline or a mobile phone or any other conventional type of PSTN telephone. As an example of the processing of a phone call, assuming the call is originated from the IP phone 104, it is transmitted through the gateway 101 to the gateway 102 to the PSTN cloud 127 where the telephone company transfers it to the appropriate PSTN phone and vice versa if the call is originated from the PSTN phone 128.
  • It will be apparent as well, that the present invention is not limited to a multi-location architecture shown in FIG. 2, but may be applied as well to other arrangements of elements where VoIP-capable communication end points, or communication terminals, (whether in combination with SPAR devices or not) are used to handle multi-modal user interaction sessions including but not limited to internal, external incoming and external outgoing telephone calls, multi-modal broadcasts of data, voice and video streams, presence management and monitoring, etc.
  • Also connected to the VLAN 104 (204) and 125 (225) is a processor executing an instance of Multi-modal Application Platform application server 116 (or 216), generally referred to as a MAP Engine. The MAP Engine 116 (216) has several purposes associated with processing user authentication information that comes from any of the SPAR devices on the network. For example, the MAP Engine 116, by communicating with any registered SPAR device, has the capability of:
      • Receive encrypted request from the SPAR device that includes authentication data
      • Identify the type of authentication data
      • Identify the SPAR device that is the source of the request
      • Pass the encrypted authentication data to a 3rd party authentication server
      • Receive response from the authentication server that includes one or more attributes uniquely identifying the user
      • Retrieve user's personal communication profile and configure the corresponding IP phone according to this profile
      • Present the user with the list of available communication and business services according to the user's profile and permissions.
      • Based on the authenticated profile and location of the originating SPAR device and association of the SPAR device with IP phone, and using unified protocol for Presence Management (SIMPLE) the said MAP Engine can publish user-related presence information to any industry-standard 3rd party Presence Server
      • Based on the authentication profile and type of preconfigured services can initiate an automated multi-modal session between the user and available/permitted enterprise communication or business services.
  • By additional communication with gateway 101 (201) the MAP Engine 116 has the capability of:
      • Configure one or more IP phones according to the user personal profile, taking into account geographical location of these phones and their association with IP PBX.
      • For each IP phone (105, 205) configured according to the user's personal profile exercise control over call functions, media functions and data functions so that the communication services available to the user would match the related personal profile and policy-based permissions. Such communication services include but are not limited to: accepting incoming calls, placing outbound calls, participating in teleconferences and multi-modal broadcasts, access to various corporate directories, etc.
  • Also in this embodiment MAP Engine 116 (216) maintains a peer-to-peer TCP/IP connection to an instance of application known by the inventor as Multi-Modal Media Server 117 (217) (hereafter termed “Media Server”). The said Media Server according to the control requests of the corresponding MAP Engine performs the actual delivery of combined voice, data and video streams to the VoIP phones of supported types and configurations according to the actual capabilities of the participating VoIP phones. The Media Server also performs a function of collecting users' input to the data forms supplied to the screen-enabled VoIP phones and passing this data to the MAP Engine, for the latter could process it and generate the subsequent control instructions based on the results of such processing and on relevant static and dynamic configuration data and business rules. There are a number of ways Media Server 118 may be implemented. For example, Media Server may be executed on the same hardware processor that executes the MAP Engine; alternatively it may run on a separate hardware processor independently or as an add-on component of a standard Web application server like Tomcat.
  • Also in FIG. 2, the MAP Engine 116 and the Media Server 117, via TCP/IP-based network connection 114, interact with an instance of an industry-standard relational database (RDBMS) 118 (218) that is used as storage for various data elements to which the MAP Engine 116 (216) and Media Server 117 (217) have read-write access; these data elements include (but are not limited to) system configuration information, real-time status, scheduling and historical data that is used to generate various business rules and interaction scenarios executed by the MAP Engine 116 (216) and the Media Server 117 (217), as well as for generation of various historical business reports related to the functions performed by the described system.
  • Also in FIG. 2, the same instances of MAP Engine and Media Server can simultaneously communicate with gateways of different vendors, seamlessly delivering the same functionality to IP phones and automatically adjusting presentation and flow logic to the vendor-specific capabilities of the corresponding IP phone.
  • Additionally, the MAP Engine 116 and the Media Server 117 use well-known industry-standard protocols and technologies for data encryption and secure communications when communicating between themselves, with SPAR devices and any other 3rd party components that require and support the data encryption and secure communications. These protocols and technologies include but are not limited to:
      • Transport Layer Security (TLS)
      • Internet Protocol Security (IP-Sec)
      • Secure Socket Layer (SSL) for both HTTP and TCP/IP traffic with up to 128 bit-based encryption
  • The system 40 may include one or several hardware processors executing some or all of the following industry-standard 3rd party software components:
      • Security and Authentication Server (119) that is used to authenticate the user based on the authentication data collected and transmitted by a SPAR device and to provide MAP Engine with the data elements that would uniquely identify the user and would allow to retrieve the corresponding personal profiles and permissions
      • LDAP-compliant Directory Server (120) that is used as an external persistent read-only storage of information related to users, departments, groups, and the corresponding permissions and policies
      • SIMPLE-compliant Presence Server (121) is used to track real-time changes in the users' presence and availability statuses and to provide real-time notification about these changes to all system components (e.g., MAP Engine) that programmatically registered their interest in such status updates. The said MAP Engine (116, 216) can publish user-related real-time presence information to the Presence Server, and can subscribe to it for the purpose of receiving relevant presence information that may be published by other components.
      • Text-to-Speech Server 130 (230), that converts a typed text into a corresponding audio file in one of the supported formats (hereafter termed as TTS Server)
      • Automated Speech Recognition Server 131 (231) that in real time analyzes user's natural speech; and sends the recognized data elements to the MAP Engine (116, 216), thereby allowing for using natural speech as a mode of communication with the system. For example, the user may call into the system using PSTN phone 128 or one of the IP phones (105, 205), and after positive authentication can navigate through the available system's functions using natural speech.
      • Customer Relationship Management (CRM) software environment (122) that can be used by the MAP Engine (116, 216) to request and deliver relevant business services to an authenticated and authorized user by way of VoIP telephone (105, 205) as a multi-modal interaction terminal
      • Business Process Management and Automation (BPMA) software environment (123) that can be used by the MAP Engine (116, 216) to request and deliver relevant business services to an authenticated and authorized user by way of VoIP phone (105, 205) as a multi-modal interaction terminal
      • Various Groupware software (124) that can be used by the MAP Engine (116, 216) to retrieve relevant user, group and calendaring information, and that can serve as an authenticated client requesting authorized services provided by the said MAP Engine based on user's profile and related policy-based permissions.
  • In operation, the system 40 allows for a multi-level secure access of communication terminals, such as the IP telephone 12 of FIGS. 1(a)-(d). In one embodiment and method of the present invention, there are three levels of security, a physical authentication, a logical authentication and a biometric authentication. Both logical and physical authentications are performed by coordinated actions of MAP Engine (116) and Security and Authentication Server (119); no authentication is performed by the IP Phone; SPAR device associated with (attached to) the phone is used for capturing related authentication tokens and passing them securely to the MAP Engine (116), which in turn processed all captured authentication tokens and passes them to the Security and Authentication server (119).
  • FIG. 3 is a high-level sequence diagram depicting the flow of the session with secure profile management activity of FIG. 2. That is, vertically, time is represented going down the page and events and requests are represented horizontally on the page. The flow starts with User Authentication Request sent by a SPAR device, such as any of the SPAR devices of FIG. 2, to the MAP Engine 116 of FIG. 2. Having received such request, the MAP Engine, based on the information sent by the SPAR device and on other relevant configuration data, dynamically identifies the type of session and initiates it. A sample session flow may be as follows:
      • 1. MAP Engine submits User Authentication Data received from the SPAR device to the Security and Authentication Server for authentication and authorization
      • 2. Security and Authentication Server returns positive user authentication and user identification credentials
      • 3. MAP Engine requests User Personal Profile and associated permissions from the LDAP Directory Server
      • 4. LDAP Directory server sends requested data to the MAP Engine
      • 5. MAP Engine publishes updated user-related presence information to the Presence Server
      • 6. MAP Engine sends request to the IP PBX to build the user's personal communication profile on the VoIP Phone associated with the authenticating SPAR device
      • 7. IP PBX builds the user's personal communication profile on the corresponding VoIP phone
      • 8. IP PBX notifies MAP Engine about successful creation of the user's personal communication profile
      • 9. MAP Engine presents list of available services to the user's VoIP phone
      • 10. User selects a service and sends service request to the MAP Engine
      • 11. MAP Engine performs requested actions and sends service response to the user's VoIP phone
      • 12. User sends service requests to the MAP Engine
      • 13. MAP Engine performs requested actions and sends service responses to the user's VoIP phone
      • 14. User sends “Compete Service” request to the MAP Engine
      • 15. MAP Engine publishes updated user-related presence information to the Presence Server and competes the session.
  • FIG. 4 shows a system 402 including the system 40 but with another configuration in accordance with an alternate embodiment of the present invention. In the system 402 of FIG. 4, the SPM points or SSP terminals, such as the combination of an IP phone 105 and a SPAR device 108, are shown located remotely and connected, through a Wide Area Network (WAN)/Internet cloud 400, to the system 40 or outside of the enterprise located, for example, in a store.
  • FIG. 4 is a high-level overview of distributed heterogeneous convergent communication infrastructure enhanced with the hardware and software that covers multi-location enterprise (which acts as a business service provider), and includes remote Secure Service Points that are installed outside of the enterprise boundaries in various publicly accessed locations (including but not limited to retail stores, bank branches, hotel lobbies and guest rooms, airport terminals and lounges, public phone booths, etc.) with the goal to deliver various business services to the users using multi-modal interactive sessions according to the business logic controlled in real time from a secure centralized enterprise environment.
  • FIG. 4 and some of its structure will be explained in reference to FIG. 2, as many of the same structures or components are included in both figures. Each “business service provider” enterprise location includes the following key components of the enterprise convergent communication network (each communication component shown at the location 1 has its matching counterpart at the location 2; the numbering for the Location 1 component start with digit 1, the numbers of the corresponding components at Location 2 start with the digit 2):
      • IP PBX combined with IP Media Gateway 101 (201) and connected to a dedicated Voice LAN 104 (204)
      • Voice-over-IP Phones of various types 105 (205) connected to the corresponding Voice LAN 104 (204)
      • Personal Computers of various types 133 (233) connected to the corresponding VLAN 104(204) or separate LAN 125 (225)
      • IP/PSTN Gateway 102 (202) connected to the Public Service Telephone Network (PSTN) 127 via ISDN PRI trunks 103 (203) to support connectivity between the IP PBX 101 (201) and various (wireless and wired) PSTN phones 128.
  • The present invention assumes a heterogeneous distributed convergent network that contains both LAN/WAN segments (126) and WAN/Internet segments (129); it also contains multiple remote Secure Service Point terminals (110-113) connected to the WAN/Internet 129 via standard Ethernet connections 114.
  • Each remote SSP terminal (110-113) contains IP Phone 105 and associated SPAR apparatus (individual or combined, as shown on 106-109) described earlier in this embodiment.
  • Each remote SSP terminal (110-1113) can perform authentication procedure, the flow of which is controlled by customizable and configurable authentication sequence session that describes which authentication tokens and in which order the user should be challenged with. Depending on this authentication sequence session the involved SSP terminal can encrypt one or several captured authentication tokens at a time and send them securely to the controlling MAP Engine 116 (216), which based on the authentication sequence session would validate the captured authentication tokens perform one of the following three actions:
      • 1) Confirm authentication, retrieve user profile and allow access to appropriate business services; or
      • 2) Reject authentication and deny access to the system from the involved SSP terminal; or
      • 3) Validate available authentication tokens and request more authentication steps until either action 1) or action 2) would be taken.
  • Once a positive user authentication is confirmed, the controlling MAP Engine 116 (216) retrieves the authenticated user's profile, determines the type of business service requested by the user (based on the user's permissions and associated business rules and policies), retrieves session scenario description from a permanent storage (RDBMS or file system) and starts multi-modal interactive session acting as an intermediary between the user and back-end enterprise CRM/ERM system that actually controls the requested business service and performs all related business transactions.
  • The said multi-modal session may consist of any combination of audio (in a form of prepared or TTS-generated audio files), video and data (in a form of text and/or images) streams generated according to the session scenario and sent upstream to the participating SSP Terminal (110-113); it would interact with the user by accepting input in multiple formats including (but not limited to) natural speech (processed by an ASR system), DTMF input, data input (using data forms pushed to the IP Phone 105 of the participating SSP Terminal) or token input (using the SPAR device 106-109 of the participating SSP Terminal 110-113).
  • At any moment during such multi-modal interactive session the controlling MAP Engine (either based on the user request or on the session scenario) can:
      • Initiate a phone call from the IP Phone 105 of the participating terminal to an IP Phone 132 (232) of an available Customer Service Representative (CSR)
      • Aggregate all business data collected up to this moment during the said multi-modal interactive session;
      • Associate this aggregated data with the call and pass it either to the CSR's IP Phone 132 (232) or to the associated computer 133 (233)
  • Should the said CSR decide to transfer the said multi-modal interactive session to another CSR, the controlling MAP Engine (per the former CSR's request) using 3rd party call control and media control functions performs transfer of the session (call, associated data and video stream) to the IP Phone and computer of new designated CSR.
  • Should the said CSR decide to conference another CSR in the said multi-modal session, the controlling MAP Engine (per the former CSR's request) using 3rd party call control and media control functions performs conference thereby adding IP Phone and computer of the latter CSR to the session so that all session streams (call, associated data and video stream) become available to this new CSR.
  • FIG. 5 is a high-level sequence diagram depicting the flow of the session using Secure Service Point and Multi-Modal Application Platform environment of FIG. 4.
  • The flow starts with User Authentication Request sent by a SSP terminal to the MAP Engine. Having received such request MAP Engine, based on the information sent by the SSP terminal and on other relevant configuration data dynamically identifies correct type of session and initiates it. A sample session flow may look as follows:
      • 1. SSP Terminal captures and securely submits encrypted User Authentication data
      • 2. MAP Engine securely submits the said User Authentication Data received to the Security and Authentication Server for authentication and authorization
      • 3. Security and Authentication Server returns positive user authentication and user identification credentials
      • 4. MAP Engine requests User Personal Profile and associated permissions from the LDAP Directory Server
      • 5. LDAP Directory server sends requested data to the MAP Engine
      • 6. MAP Engine requests the list of available services from the CRM/ERM system based on the user's profile and associated permissions.
      • 7. The CRM/ERM system returns the list of services available for the said user to the MAP Engine
      • 8. MAP Engine presents the list of available services to the SSP terminal
      • 9. The user selects a service and sends service request to the MAP Engine
      • 10. MAP Engine performs actions related to this service request, including (but not limited to) reformatting it, and redirects properly formatted service request to the CRM/ERM system
      • 11. The CRM/ERM system returns service response to the MAP Engine
      • 12. MAP Engine performs actions related to this service response including (but not limited to) reformatting it according to the SSP terminal capabilities, and sends properly formatted service response to the SSP Terminal
      • 13. The user continues interaction by sending more service requests
      • 14. MAP Engine processes these requests as described earlier, and re-directs them to the CRM/ERM system
      • 15. The CRM/ERM system returns the corresponding service responses to the MAP Engine
      • 16. MAP Engine processes these responses as described earlier, and sends properly formatted service responses to the SSP Terminal
      • 17. The user decides to talk to a CRM/ERM agent and sends “Agent Service Request” to the MAP Engine
      • 18. MAP Engine via IP PBX initiates and connects call between the SSP Terminal's IP Phone and the selected Agent's IP Phone
      • 19. Once the call is connected, MAP Engine presents all collected session information to the selected Agent's personal computer.
      • 20. The user interacts with the CRM/ERM agent by talking and/or sending information request using SSP terminal if needed
      • 21. MAP Engine performs actions related to this information request, including (but not limited to) reformatting it, and redirects properly formatted information request to the Agent's IP Phone and/or PC
      • 22. The Agent responds to this request by talking and/or sending information response to the MAP Engine using PC and/or IP Phone
      • 23. MAP Engine performs actions related to this information response including (but not limited to) reformatting it according to the SSP terminal capabilities, and sends properly formatted information response to the SSP Terminal
      • 24. The user interacts with the CRM/ERM agent by talking and/or sending more information requests using SSP terminal if needed
      • 25. MAP Engine processes these information requests as described earlier, and redirects properly formatted information requests to the Agent's IP Phone and/or PC
      • 26. The Agent responds to this request as described earlier, by talking and/or sending information response to the MAP Engine using PC and/or IP Phone
      • 27. MAP Engine processes these information responses as described earlier, and sends properly formatted information response to the SSP Terminal
      • 28. The user indicates that the service is complete by sending “Service Complete” request to the MAP Engine.
  • 29. MAP Engine notifies the CRM/ERM agent about service completion, completes the session, frees up all related resources and performs other related required actions.
  • FIG. 6 is a high-level overview of distributed heterogeneous convergent communication system 600 enhanced with the hardware and software for Secure Service Access Point operations, provisioning, management and controlled access to the enterprise communication and business services over convergent network according to another embodiment of the present invention. The system 600 includes the system 400 and covers multi-location enterprise (which can act as a business service provider), and includes remote Secure Service Access Points that are installed outside of the enterprise boundaries in various publicly accessed locations (including but not limited to retail stores, bank branches, hotel lobbies and guest rooms, airport terminals and lounges, public phone booths, etc.) with the goal to deliver various business services to the users using multi-modal interactive sessions according to the business logic controlled in real time from a secure centralized enterprise environment.
  • FIG. 7 is a high-level sequence diagram depicting the flow of the multi-level centralized authentication session using Secure Service Access Point and Multi-Modal Application Platform environment of the system 600.
  • Each “business service provider” enterprise location is shown as a dashed rectangle and contains the following key components of the enterprise convergent communication network (each communication component shown at the location 1 has its matching counterpart at the location 2; the numbering for the Location 1 component start with digit 1, the numbers of the corresponding components at Location 2 start with the digit 2):
      • IP PBX combined with IP Media Gateway 101 (201) and connected to a dedicated Voice LAN 104 (204)
      • Voice-over-IP Phones of various types 105 (205) connected to the corresponding Voice LAN 104 (204)
      • IP/PSTN Gateway 102 (202) connected to the Public Service Telephone Network (PSTN) 127 via ISDN PRI trunks 132 (232) to support connectivity between the
      • IP PBX 101 (201) and various (wireless and wired) PSTN phones 128.
  • The present invention assumes a heterogeneous distributed convergent network that contains both LAN/WAN segments (126), wireless access points (125, 225) and WAN/Internet segments (129), and also includes:
      • Multi-modal VoIP phones (105, 205) that are capable of handling any combination of voice, data and video streams (the actual capabilities of these end points determine the multi-modal streams that would be delivered);
      • The said SPAR authentication devices, whether wired (103, 203) or wireless (104, 204) that are logically and physically associated with IP Phones in a “Secure Service Access Point” (SSAP) apparatus and can perform the following authentication procedures: biometric authentication (fingerprint, palm-print or iris-reader), physical token authentication (magnetic card reader, smart card reader, RFID reader)
      • Multiple desktop (106, 206) and/or laptop computers (107, 207) connected to the network segments (104, 204, 126, 129) via wired (114, 214) connections or wireless access points (125, 225)
      • Multiple remote SSAP terminals (110-113) connected to the WAN/Internet 129 via standard Ethernet connections 114.
  • An SSAP apparatus may contain one or more SPAR devices which can be of different types, including but not limited to biometric readers, smart card or magnetic card or RFID readers, or can be combined into compound devices that may include any combination of Smart Card, Magnetic Card, RFID and Biometric readers in a single unit (103). Accordingly an SSAP apparatus can support either separate types of authentication, or can perform several types of authentication alternatively or in combination. An SSAP apparatus is connected to the enterprise LAN either directly or through a standard dedicated Ethernet switch.
  • Normally each SPAR device would be associated with one or several IP phones and/or with one or several desktop or laptop computers; such logical associations would be stored in an appropriate software-based persistent storage repository (e.g., relational database), so that an SSAP apparatus can contain more than one associated SPAR device, more than one associated IP phones and can be associated with one or several desktop/laptop computers.
  • The SPAR devices associated with VoIP phones may reside on the same physical chassis with VoIP phones, or can be physically separated from their associated phones; any such logical combination of one or more SPAR devices with one or more IP phones is hereafter termed “Secure Service Access Point” (SSAP) shown on the FIG. 2 as 110-113 and 210-213.
  • It will be apparent as well, that the present invention is not limited to a multi-location architecture shown in FIG. 6, but may be applied as well to other arrangements of elements where VoIP-capable communication end points (whether included in SSAP apparatuses or not) are used to handle multi-modal user interaction sessions including but not limited to internal, external incoming and external outgoing telephone calls, multi-modal broadcasts of data, voice and video streams, presence management and monitoring, etc.
  • Also connected to the local area networks 104 (204) and 114 (214) is a processor executing an instance of Multi-modal Application Platform application server 116 (216), known by the inventors as MAP Engine. The MAP Engine 116 (216) has several purposes associated with processing user authentication information that comes from any SSAP apparatus on the network. For example, the said MAP Engine by communicating bi-directionally with any registered SSAP apparatus has the capability:
      • Receive multiple encrypted requests with aggregated or separate authentication tokens from a registered SSAP apparatus
      • Identify the SSAP apparatus that is a source of the request
      • Parse and decrypt the said authentication tokens
      • Accumulate and aggregate authentication tokens according to the “authentication scenario” and make positive or negative authentication decisions
      • Pass the encrypted authentication tokens to a 3rd party authentication server
      • Receive and process according to the “authentication scenario” responses from the authentication server that contains one or several attributes that uniquely identify the user
      • Retrieve user's personal communication profile and, by additional communication with IP PBX 101 (201) configure the VoIP phone in the corresponding SSAP apparatus according to this profile, taking into account geographical location of the SSAP apparatus and appropriate business rules and policies.
      • Present the user with the list of available communication and business services according to the user's profile and permissions.
      • Based on the authenticated profile and location of the originating SPAR device and association of the SPAR device with VoIP phone, and using unified protocol for Presence Management (SIMPLE) the said MAP Engine can publish user-related presence information to any industry-standard 3rd party Presence Server
      • Based on the authentication profile and type of preconfigured services can initiate an automated multi-modal session between the user and available/permitted enterprise communication or business services.
      • Using additional communications with IP PBX 101 (201), for each VoIP phone (105, 205) configured according to the user's personal profile the said MAP Engine can exercise control over call functions, media functions and data functions, so that the communication services available to the user would match the related personal profile and policy-based permissions. Such communication services include but are not limited to: accepting incoming calls, placing outbound calls, participating in teleconferences and multi-modal broadcasts, access to various corporate directories, etc.
  • Also in this embodiment MAP Engine 116 (216) maintains a peer-to-peer TCP/IP connection to an instance of application known by the inventor as Multi-Modal Media Server 117 (217) (hereafter termed “Media Server”). The said Media Server according to the control requests of the corresponding MAP Engine performs the actual delivery of combined voice, data and video streams to the VoIP phones of supported types and configurations according to the actual capabilities of the participating VoIP phones. The Media Server also performs a function of collecting users' input to the data forms supplied to the screen-enabled VoIP phones and passing this data to the MAP Engine, for the latter could process it to generate the subsequent control instructions based on the results of such processing and on relevant static and dynamic configuration data and business rules. There are a number of ways Media Server 117 may be implemented. For example, Media Server may be executed on the same hardware processor that executes the MAP Engine; alternatively it may run on a separate hardware processor independently or as an add-on component of a standard Web application server like Tomcat.
  • Also in this embodiment MAP Engine and Media Server via TCP/IP-based network connection interact with an instance of an industry-standard relational database (RDBMS) 118 (218) that is used as a persistent storage for various data elements to which the MAP Engine 116 (216) and Media Server 117 (217) have read-write access; these data elements include (but are not limited to) system configuration information, real-time status, scheduling and historical data that is used to generate various business rules and interaction scenarios executed by the MAP Engine 116 (216) and the Media Server 117 (217), as well as for generation of various historical business reports related to the functions performed by the described system.
  • Also in this embodiment the same instances of MAP Engine and Media Server can simultaneously communicate with IP PBXs of different vendors, seamlessly delivering the same functionality to associated SSAP apparatuses and automatically adjusting presentation and flow logic to the vendor-specific capabilities of the corresponding SSAP apparatus.
  • Also in this embodiment MAP Engine and Media Server use well-known industry-standard protocols and technologies for data encryption and secure communications when communicating between themselves, with SPAR devices and any other 3rd party components that require and support the data encryption and secure communications. These protocols and technologies include but are not limited to:
      • Transport Layer Security (TLS)
      • Internet Protocol Security (IP-Sec)
      • Secure Socket Layer (SSL) for both HTTP and TCP/IP traffic with up to 128 bit-based encryption
  • Also in this embodiment the system may contain one or several hardware processors running some or all of the following industry-standard 3rd party software components:
      • Security and Authentication Server (119) that is used to authenticate the user based on the authentication data collected and transmitted by a SSAP apparatus and to provide MAP Engine with the data elements that would uniquely identify the user and would allow to retrieve the corresponding personal profiles and permissions
      • LDAP-compliant Directory Server (120) that is used as an external persistent read-only storage of information related to users, departments, groups, and the corresponding permissions and policies
      • SIMPLE-compliant Presence Server (121) is used to track real-time changes in the users' presence and availability statuses and to provide real-time notification about these changes to all system components (e.g., MAP Engine) that programmatically registered their interest in such status updates. The said MAP Engine (116, 216) can publish user-related real-time presence information to the Presence Server, and can subscribe to it for the purpose of receiving relevant presence information that may be published by other components.
      • Text-to-Speech Server 130 (230), that converts a typed text into a corresponding audio file in one of the supported formats (hereafter termed as TTS Server)
      • Automated Speech Recognition Server 131 (231) that in real time analyzes user's natural speech captured as a digitized audio stream; and sends the recognized data elements to the MAP Engine (116, 216), thereby allowing for using natural speech as a mode of communication with the system. For example, the user may call into the system using PSTN phone 128 or one of the VoIP phones (105, 205), and after positive authentication can navigate through the available system's functions using natural speech.
      • Customer Relationship Management (CRM) and/or Employee Relationship Management (ERM) software system (122) that can be used by the MAP Engine (116, 216) to request and deliver relevant business services to an authenticated and authorized user by use of SSAP apparatus as a multi-modal interaction terminal, and to initiate and complete various transactions required by the corresponding business scenarios
      • Business Process Management and Automation (BPMA) software system (123) that can be used by the MAP Engine (116, 216) to request and deliver relevant business services to an authenticated and authorized user by use of SSAP apparatus as a multi-modal interaction terminal, and to initiate and complete various transactions required by the corresponding business scenarios
      • Various Groupware software (124) that can be used by the MAP Engine (116, 216) to retrieve relevant user, group and calendaring information, and that can serve as an authenticated client requesting authorized services provided by the said MAP Engine based on user's profile and related policy-based permissions.
  • Each remote SSAP terminal (110-113) can perform authentication procedure, the flow of which is controlled by customizable and configurable authentication sequence session that describes which authentication tokens and in which order the user should be challenged with. Depending on this authentication sequence session the involved SSAP terminal can encrypt one or several captured authentication tokens at a time and send them securely to the controlling MAP Engine 116 (216), which based on the authentication sequence session would validate the captured authentication tokens perform one of the following three actions:
      • 1) Confirm authentication, retrieve user profile and allow access to appropriate business services; or
      • 2) Reject authentication and deny access to the system from the involved SSAP terminal; or
      • 3) Validate available authentication tokens and request more authentication steps until either action 1) or action 2) would be taken.
  • Once a positive user authentication is confirmed, the controlling MAP Engine 116 (216) retrieves the authenticated user's profile, determines the type of business service requested by the user (based on the user's permissions and associated business rules and policies), retrieves session scenario description from a permanent storage (RDBMS or file system) and starts multi-modal interactive session according to the said session scenario description.
  • FIG. 7 is a high-level sequence diagram depicting the flow of the multi-level centralized authentication session using Secure Service Access Point and Multi-Modal Application Platform environment of the system 600 of FIG. 6.
  • The flow starts with User Authentication Token 1 sent by a SSAP terminal to the MAP Engine. Having received such request MAP Engine, based on the information sent by the SSAP terminal and on other relevant configuration data dynamically identifies correct type of session and initiates it. A sample session flow may look as follows:
      • 1. SSAP Terminal captures and securely submits encrypted User Authentication Token 1 (e.g., RFID tag)
      • 2. MAP Engine securely submits the said User Authentication Token 1 received to the Security and Authentication Server for authentication and authorization
      • 3. Security and Authentication Server returns positive authentication of the Token 1
      • 4. According to the “authentication scenario” MAP Engine requests one or more additional User Authentication Tokens
      • 5. SSAP Terminal captures, encrypts and securely submits additional authentication tokens to the MAP Engine
      • 6. Once these additional encrypted tokens are received by the MAP Engine, it securely re-submits them to the Security and Authentication Server for authentication and authorization
      • 7. Security and Authentication Server returns separate authentication results for each authentication token (the steps 4-7 are repeated until the user is either rejected or positively authenticated based on the “authentication scenario”)
      • 8. Once the user has been positively identified, MAP Engine requests the user's profile from a corresponding directory
      • 9. LDAP Directory server sends requested data to the MAP Engine
      • 10. MAP Engine requests the list of available services from the CRM/ERM system based on the user's profile and associated permissions.
      • 11. The CRM/ERM system returns the list of services available for the said user to the MAP Engine
      • 12. MAP Engine presents the list of available services to the SSAP terminal
      • 13. The user selects a service and sends service request to the MAP Engine
      • 14. MAP Engine performs actions related to this service request, including (but not limited to) reformatting it, and redirects properly formatted service request to the CRM/ERM system
      • 15. The CRM/ERM system returns service response to the MAP Engine
      • 16. MAP Engine performs actions related to this service response including (but not limited to) reformatting it according to the SSAP terminal capabilities, and sends properly formatted service response to the SSAP Terminal
      • 17. The user continues interaction by sending more service requests
      • 18. MAP Engine processes these requests as described earlier, and re-directs them to the CRM/ERM system
      • 19. The CRM/ERM system returns the corresponding service responses to the MAP Engine
      • 20. MAP Engine processes these responses as described earlier, and sends properly formatted service responses to the SSAP Terminal
      • 21. The user indicates that the service is complete by sending “Service Complete” request to the MAP Engine.
      • 22. MAP Engine notifies the CRM/ERM agent about service completion, completes the session, frees up all related resources and performs other related required actions.
  • Although the present invention has been described in terms of specific embodiment, it is anticipated that alterations and modifications thereof will no doubt become apparent to those more skilled in the art. It is therefore intended that the following claims be interpreted as covering all such alterations and modification as fall within the true spirit and scope of the invention.

Claims (13)

1. A method of securely accessing a voice-enabled communication terminal, having certain functions associated therewith, using an Internet Protocol (IP) comprising:
performing physical authentication of a user;
performing logical authentication of the user;
performing verification of the user; and
upon successful confirmation of the user, allowing access to the functions of the communication terminal.
2. A method of securely accessing a voice-enabled communication terminal, as recited in claim 1, further including the step of performing biometric verification of the user.
3. A method of securely accessing a voice-enabled communication terminal, as recited in claim 1, wherein the communication terminal is an Internet Protocol (IP) telephone.
4. A method of securely accessing a voice-enabled communication terminal, as recited in claim 3, further including the step of, upon access of the IP telephone, using the user profile to build functions for the IP telephone.
5. A method of securely accessing a voice-enabled communication terminal, as recited in claim 3, wherein coupling the IP telephone to a secure personal authentication reader (SPAR) device.
6. A method of securely accessing a voice-enabled communication terminal, as recited in claim 3, further including encrypting authentication data for authentication of the user.
7. A secure service point (SSP) system comprising a secure personal authentication reader (SPAR) device coupled to communication terminal, which is in communication with a network switch 16 for performing physical authentication of a user, for performing logical authentication of the user, for performing verification of the user and upon successful confirmation of the user, allowing access to the functions of the communication terminal.
8. A SSP system, as recited in claim 7, wherein the communication terminal is an Internet Protocol (IP) telephone.
9. A SSP system, as recited in claim 8, further including a user profile having functions for the IP telephone.
10. A SSP system, as recited in claim 8, wherein the SPAR device includes any combination of a smart card reader, a biometric reader, a magnetic card or RFID.
11. A SSP system, as recited in claim 8, wherein at least one IP telephone and an associated SPAR device are employed in a multi-modal service-point convergent communication system.
12. A SSP system, as recited in claim 11, wherein said at least one IP telephone and an associated SPAR device are configures to dynamically determine the type of requested service from the user, and ability to execute automated multi-modal interaction session with the user.
13. A SSP system, as recited in claim 11, wherein said multi-modal service-point convergent communication system includes a Customer Relationship Management (CRM) software environment for requesting and delivering relevant business services to an authenticated user through the IP telephone.
US11/444,566 2005-10-13 2006-05-31 Method and system for multi-level secure personal profile management and access control to the enterprise multi-modal communication environment in heterogeneous convergent communication networks Active 2031-01-23 US8406421B2 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
US11/444,566 US8406421B2 (en) 2005-10-13 2006-05-31 Method and system for multi-level secure personal profile management and access control to the enterprise multi-modal communication environment in heterogeneous convergent communication networks
EP06256154.3A EP1811740B1 (en) 2005-12-29 2006-12-01 Method and system for multi-level secure personal profile management and access control to the enterprise multi-modal communication environment in heterogeneous convergent communication networks
CN201310338314.8A CN103647886B (en) 2005-12-29 2006-12-28 For profile management and the method and system of Access Control in isomerization polymerization communication network

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US72708905P 2005-10-13 2005-10-13
US75573405P 2005-12-29 2005-12-29
US75547205P 2005-12-29 2005-12-29
US11/444,566 US8406421B2 (en) 2005-10-13 2006-05-31 Method and system for multi-level secure personal profile management and access control to the enterprise multi-modal communication environment in heterogeneous convergent communication networks

Publications (2)

Publication Number Publication Date
US20070115940A1 true US20070115940A1 (en) 2007-05-24
US8406421B2 US8406421B2 (en) 2013-03-26

Family

ID=38068709

Family Applications (1)

Application Number Title Priority Date Filing Date
US11/444,566 Active 2031-01-23 US8406421B2 (en) 2005-10-13 2006-05-31 Method and system for multi-level secure personal profile management and access control to the enterprise multi-modal communication environment in heterogeneous convergent communication networks

Country Status (3)

Country Link
US (1) US8406421B2 (en)
EP (1) EP1811740B1 (en)
CN (1) CN103647886B (en)

Cited By (42)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030204725A1 (en) * 2002-04-26 2003-10-30 Masayuki Itoi Method and system for verifying identity
US20080120320A1 (en) * 2006-11-22 2008-05-22 David Darden Chambliss Apparatus, system, and method for reporting on enterprise data processing system configurations
US20080133719A1 (en) * 2006-11-30 2008-06-05 Ofer Amitai System and method of changing a network designation in response to data received from a device
US20080141138A1 (en) * 2006-12-06 2008-06-12 Yahoo! Inc. Apparatus and methods for providing a person's status
US20080136640A1 (en) * 2006-12-07 2008-06-12 Arnaud Lund Method and system for controlling distant equipment
US20080144604A1 (en) * 2006-12-14 2008-06-19 Adobe Systems Incorporated Interface-neutral communication architecture
US20080310607A1 (en) * 2007-06-17 2008-12-18 Alcatel Lucent Presence Based DTMF Signaling Enablement of Voice Communication Controller and Method
US20100058197A1 (en) * 2008-08-29 2010-03-04 International Business Machines Corporation Supporting role-based access control in component-based software systems
US7690032B1 (en) 2009-05-22 2010-03-30 Daon Holdings Limited Method and system for confirming the identity of a user
US20100223464A1 (en) * 2006-10-24 2010-09-02 Electronics & Telecommunications Research Institute Public key based device authentication system and method
US20100235480A1 (en) * 2006-05-19 2010-09-16 Cisco Technology Inc. Method and apparatus for simply configuring a subscriber appliance for performing a service controlled by a separate service provider
US20110302630A1 (en) * 2010-06-03 2011-12-08 Palm, Inc. Identity management via cloud
US20120059878A1 (en) * 2009-05-08 2012-03-08 Telefonakliebolaget LM Ericsson (publ) method and arrangement for enabling differentiated communication services
US20120226792A1 (en) * 2011-03-04 2012-09-06 Johnson Robert A IPSEC Connection to Private Networks
US8514842B1 (en) * 2007-09-28 2013-08-20 Adobe Systems Incorporated Systems and methods for enabling communication between users of common virtual spaces
US8554674B1 (en) * 2006-10-31 2013-10-08 United Services Automobile Association (Usaa) Transfer caller into speech make-a-payment transaction
US8755373B1 (en) * 2006-09-14 2014-06-17 Sprint Communications Company L.P. VOP (voice over packet) automatic call distribution
US20140230042A1 (en) * 2013-02-12 2014-08-14 Centrify Corporation Method and apparatus for providing secure internal directory service for hosted services
US8817777B2 (en) 2011-08-10 2014-08-26 Microsoft Corporation Hybrid unified communications deployment between cloud and on-premise
US8868036B1 (en) * 2007-06-27 2014-10-21 ENORCOM Corporation Security for mobile system
EP2933974A1 (en) * 2014-04-17 2015-10-21 HST High Soft Tech GmbH Method for telephone authentication of users of private or public networks for data exchange
US9201885B1 (en) 2007-06-27 2015-12-01 ENORCOM Corporation Multi-platform storage and user interface environment
WO2016003200A1 (en) * 2014-07-01 2016-01-07 Samsung Electronics Co., Ltd. Method and apparatus for installing profile for euicc
CN106658450A (en) * 2015-11-04 2017-05-10 杭州络漫科技有限公司 Remote heterogeneous network mobile real-time communication method
EP2160863A4 (en) * 2007-06-15 2017-06-07 Microsoft Technology Licensing, LLC Multiple user authentications on a communications device
US20170171689A1 (en) * 2010-06-28 2017-06-15 Sony Corporation Information processing apparatus, information processing method, and program
US20170193249A1 (en) * 2016-01-05 2017-07-06 Nimrod Luria System and method for securing personal data elements
US20170237747A1 (en) * 2016-02-15 2017-08-17 Cisco Technology, Inc. Digital asset protection policy using dynamic network attributes
US20170272892A1 (en) * 2010-07-21 2017-09-21 Sensoriant, Inc. Allowing or disallowing access to resources based on sensor and state information
US9930522B2 (en) 2010-07-21 2018-03-27 Sensoriant, Inc. System and method for controlling mobile services using sensor information
US20180234414A1 (en) * 2017-02-10 2018-08-16 Brett Littrell Multifactor Authentication Device
US10181148B2 (en) 2010-07-21 2019-01-15 Sensoriant, Inc. System and method for control and management of resources for consumers of information
US10390289B2 (en) 2014-07-11 2019-08-20 Sensoriant, Inc. Systems and methods for mediating representations allowing control of devices located in an environment having broadcasting devices
US20190303944A1 (en) * 2018-03-29 2019-10-03 Ncr Corporation Biometric index linking and processing
US20200052970A1 (en) * 2018-08-07 2020-02-13 Dell Products L.P. Isolating a redirected biometric device to a remote session
US10614473B2 (en) 2014-07-11 2020-04-07 Sensoriant, Inc. System and method for mediating representations with respect to user preferences
US10616174B1 (en) * 2017-06-23 2020-04-07 8X8, Inc. Customized telecommunication monitoring and alerts using a high-level programming interface
US10630844B1 (en) * 2018-12-19 2020-04-21 T-Mobile Usa, Inc. Systems and methods for enhanced video call transfer
US10701165B2 (en) 2015-09-23 2020-06-30 Sensoriant, Inc. Method and system for using device states and user preferences to create user-friendly environments
US20200288020A1 (en) * 2019-03-05 2020-09-10 Textnow, Inc. Systems and methods for suggesting contacts
US20210385086A1 (en) * 2019-04-29 2021-12-09 Google Llc Systems and methods for distributed verification of online identity
US11288357B2 (en) 2016-11-07 2022-03-29 Samsung Electronics Co., Ltd. Apparatus and method for authenticating caller in communication system

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11327674B2 (en) 2012-06-05 2022-05-10 Pure Storage, Inc. Storage vault tiering and data migration in a distributed storage network
US8954747B2 (en) * 2011-07-01 2015-02-10 Intel Corporation Protecting keystrokes received from a keyboard in a platform containing embedded controllers
US9613052B2 (en) * 2012-06-05 2017-04-04 International Business Machines Corporation Establishing trust within a cloud computing system
US9251396B2 (en) 2013-01-29 2016-02-02 Diamond Fortress Technologies, Inc. Touchless fingerprinting acquisition and processing application for mobile devices
US9197643B2 (en) 2013-07-22 2015-11-24 Bank Of America Corporation Application and permission integration
US9552684B2 (en) 2014-02-04 2017-01-24 Secure Gravity Inc. Methods and systems configured to detect and guarantee identity for the purpose of data protection and access control
US11816672B1 (en) 2015-09-22 2023-11-14 Wells Fargo Bank, N.A. Flexible authentication
US10326752B1 (en) * 2016-01-16 2019-06-18 Ingram Micro, Inc. Method for automated authentication of VoIP phone
US10327139B2 (en) 2016-10-06 2019-06-18 Bank Of America Corporation Multi-level authentication using phone application level data

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040059921A1 (en) * 2000-11-02 2004-03-25 Jean-Pierre Bianchi Secure method for communicating and providing services on digital networks and implementing architecture
US6731625B1 (en) * 1997-02-10 2004-05-04 Mci Communications Corporation System, method and article of manufacture for a call back architecture in a hybrid network with support for internet telephony
US20040158492A1 (en) * 2000-10-06 2004-08-12 Lopez Kermit D. Processing negotiable economic credits through electronic hand held devices
US20050141447A1 (en) * 2003-11-12 2005-06-30 Interdigital Technology Corporation System for application server autonomous access across different types of access technology networks
US20060133604A1 (en) * 2004-12-21 2006-06-22 Mark Buer System and method for securing data from a remote input device
US7110522B1 (en) * 2003-02-13 2006-09-19 Bellsouth Intellectual Property Corporation Customer relationship management for “private” number requests

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6128503A (en) * 1997-12-08 2000-10-03 Telefonaktiebolaget Lm Ericsson Method and apparatus for coordinating mobile communications network services with intelligent network services
GB2371397B (en) * 2001-01-20 2004-09-01 Ncr Int Inc Self service terminal
EP1263164B1 (en) 2001-05-23 2006-06-07 Daniel Büttiker Method and token for registering users of a public-key infrastuture and registration system
JP2005268936A (en) * 2004-03-16 2005-09-29 Canon Inc Access point, network system, and network service providing method
CN100515129C (en) * 2004-12-31 2009-07-15 侯万春 Apparatus for intelligent communication based on mobile communication network and Internet

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6731625B1 (en) * 1997-02-10 2004-05-04 Mci Communications Corporation System, method and article of manufacture for a call back architecture in a hybrid network with support for internet telephony
US20040158492A1 (en) * 2000-10-06 2004-08-12 Lopez Kermit D. Processing negotiable economic credits through electronic hand held devices
US20040059921A1 (en) * 2000-11-02 2004-03-25 Jean-Pierre Bianchi Secure method for communicating and providing services on digital networks and implementing architecture
US7110522B1 (en) * 2003-02-13 2006-09-19 Bellsouth Intellectual Property Corporation Customer relationship management for “private” number requests
US20050141447A1 (en) * 2003-11-12 2005-06-30 Interdigital Technology Corporation System for application server autonomous access across different types of access technology networks
US20060133604A1 (en) * 2004-12-21 2006-06-22 Mark Buer System and method for securing data from a remote input device

Cited By (94)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030204725A1 (en) * 2002-04-26 2003-10-30 Masayuki Itoi Method and system for verifying identity
US8060918B2 (en) * 2002-04-26 2011-11-15 Safety Angle Inc. Method and system for verifying identity
US8634320B2 (en) 2006-05-19 2014-01-21 Cisco Technology, Inc. Method and apparatus for simply configuring a subscriber appliance for performing a service controlled by a separate service provider
US8018870B2 (en) * 2006-05-19 2011-09-13 Cisco Technology, Inc. Method and apparatus for simply configuring a subscriber appliance for performing a service controlled by a separate service provider
US20100235480A1 (en) * 2006-05-19 2010-09-16 Cisco Technology Inc. Method and apparatus for simply configuring a subscriber appliance for performing a service controlled by a separate service provider
US8755373B1 (en) * 2006-09-14 2014-06-17 Sprint Communications Company L.P. VOP (voice over packet) automatic call distribution
US20100223464A1 (en) * 2006-10-24 2010-09-02 Electronics & Telecommunications Research Institute Public key based device authentication system and method
US8554674B1 (en) * 2006-10-31 2013-10-08 United Services Automobile Association (Usaa) Transfer caller into speech make-a-payment transaction
US20080120320A1 (en) * 2006-11-22 2008-05-22 David Darden Chambliss Apparatus, system, and method for reporting on enterprise data processing system configurations
US8521700B2 (en) * 2006-11-22 2013-08-27 International Business Machines Corporation Apparatus, system, and method for reporting on enterprise data processing system configurations
US20080133719A1 (en) * 2006-11-30 2008-06-05 Ofer Amitai System and method of changing a network designation in response to data received from a device
US8102860B2 (en) * 2006-11-30 2012-01-24 Access Layers Ltd. System and method of changing a network designation in response to data received from a device
US20080141138A1 (en) * 2006-12-06 2008-06-12 Yahoo! Inc. Apparatus and methods for providing a person's status
US20080136640A1 (en) * 2006-12-07 2008-06-12 Arnaud Lund Method and system for controlling distant equipment
US8115596B2 (en) * 2006-12-07 2012-02-14 Intermational Business Machines Corporation Method and system for controlling distant equipment
US20080144604A1 (en) * 2006-12-14 2008-06-19 Adobe Systems Incorporated Interface-neutral communication architecture
EP2160863A4 (en) * 2007-06-15 2017-06-07 Microsoft Technology Licensing, LLC Multiple user authentications on a communications device
US20080310607A1 (en) * 2007-06-17 2008-12-18 Alcatel Lucent Presence Based DTMF Signaling Enablement of Voice Communication Controller and Method
US8041015B2 (en) * 2007-06-17 2011-10-18 Alcatel Lucent Presence based DTMF signaling enablement of voice communication controller and method
US11366863B1 (en) 2007-06-27 2022-06-21 ENORCOM Corporation Configurable electronic system with detachable components
US10368241B1 (en) * 2007-06-27 2019-07-30 ENORCOM Corporation Security for mobile and stationary electronic systems
US11726966B1 (en) 2007-06-27 2023-08-15 ENORCOM Corporation Information management system
US10706111B1 (en) 2007-06-27 2020-07-07 ENORCOM Corporation Wearable electronic device with multiple detachable components
US9542493B1 (en) * 2007-06-27 2017-01-10 ENORCOM Corporation Data system with temporal user interface
US10911952B1 (en) 2007-06-27 2021-02-02 ENORCOM Corporation Autonomous assistant for mobile and stationary environments
US9201885B1 (en) 2007-06-27 2015-12-01 ENORCOM Corporation Multi-platform storage and user interface environment
US8868036B1 (en) * 2007-06-27 2014-10-21 ENORCOM Corporation Security for mobile system
US9509674B1 (en) 2007-06-27 2016-11-29 ENORCOM Corporation Information security and privacy system and method
US10762061B1 (en) 2007-06-27 2020-09-01 ENORCOM Corporation Time-based information system
US9344288B2 (en) 2007-09-28 2016-05-17 Adobe Systems Incorporated Extemporaneous awareness of rich presence information for group members in a virtual space
US8514842B1 (en) * 2007-09-28 2013-08-20 Adobe Systems Incorporated Systems and methods for enabling communication between users of common virtual spaces
US20100058197A1 (en) * 2008-08-29 2010-03-04 International Business Machines Corporation Supporting role-based access control in component-based software systems
US8645843B2 (en) * 2008-08-29 2014-02-04 International Business Machines Corporation Supporting role-based access control in component-based software systems
US20120059878A1 (en) * 2009-05-08 2012-03-08 Telefonakliebolaget LM Ericsson (publ) method and arrangement for enabling differentiated communication services
US8843546B2 (en) * 2009-05-08 2014-09-23 Telefonaktiebolaget L M Ericsson (Publ) Method and arrangement for enabling differentiated communication services
US7690032B1 (en) 2009-05-22 2010-03-30 Daon Holdings Limited Method and system for confirming the identity of a user
CN103354930A (en) * 2010-06-03 2013-10-16 惠普发展公司,有限责任合伙企业 Identity management via cloud
US8966587B2 (en) * 2010-06-03 2015-02-24 Qualcomm Incorporated Identity management via cloud
EP2577551A4 (en) * 2010-06-03 2014-07-09 Qualcomm Inc Identity management via cloud
US20150121479A1 (en) * 2010-06-03 2015-04-30 Qualcomm Incorporated Identity management via cloud
US9560031B2 (en) * 2010-06-03 2017-01-31 Qualcomm Incorporated Identity management via cloud
EP2577551A2 (en) * 2010-06-03 2013-04-10 Hewlett-Packard Development Company, L.P. Identity management via cloud
US20110302630A1 (en) * 2010-06-03 2011-12-08 Palm, Inc. Identity management via cloud
US20190373429A1 (en) * 2010-06-28 2019-12-05 Sony Corporation Information processing apparatus and information processing method
US11129004B2 (en) * 2010-06-28 2021-09-21 Sony Corporation Information processing apparatus and information processing method
US20170171689A1 (en) * 2010-06-28 2017-06-15 Sony Corporation Information processing apparatus, information processing method, and program
US10433130B2 (en) * 2010-06-28 2019-10-01 Sony Corporation Information processing apparatus and information processing method
US9913070B2 (en) * 2010-07-21 2018-03-06 Sensoriant, Inc. Allowing or disallowing access to resources based on sensor and state information
US10003948B2 (en) 2010-07-21 2018-06-19 Sensoriant, Inc. System and method for provisioning user computing devices based on sensor and state information
US9913071B2 (en) 2010-07-21 2018-03-06 Sensoriant, Inc. Controlling functions of a user device utilizing an environment map
US9913069B2 (en) 2010-07-21 2018-03-06 Sensoriant, Inc. System and method for provisioning user computing devices based on sensor and state information
US20170272892A1 (en) * 2010-07-21 2017-09-21 Sensoriant, Inc. Allowing or disallowing access to resources based on sensor and state information
US9930522B2 (en) 2010-07-21 2018-03-27 Sensoriant, Inc. System and method for controlling mobile services using sensor information
US9949060B2 (en) * 2010-07-21 2018-04-17 Sensoriant, Inc. System allowing or disallowing access to resources based on sensor and state information
US10405157B2 (en) 2010-07-21 2019-09-03 Sensoriant, Inc. System and method for provisioning user computing devices based on sensor and state information
US11140516B2 (en) 2010-07-21 2021-10-05 Sensoriant, Inc. System and method for controlling mobile services using sensor information
US10104518B2 (en) 2010-07-21 2018-10-16 Sensoriant, Inc. System and method for provisioning user computing devices based on sensor and state information
US10181148B2 (en) 2010-07-21 2019-01-15 Sensoriant, Inc. System and method for control and management of resources for consumers of information
US10602314B2 (en) 2010-07-21 2020-03-24 Sensoriant, Inc. System and method for controlling mobile services using sensor information
US20120226792A1 (en) * 2011-03-04 2012-09-06 Johnson Robert A IPSEC Connection to Private Networks
US8972555B2 (en) * 2011-03-04 2015-03-03 Unisys Corporation IPsec connection to private networks
US8817777B2 (en) 2011-08-10 2014-08-26 Microsoft Corporation Hybrid unified communications deployment between cloud and on-premise
US20210029090A1 (en) * 2013-02-12 2021-01-28 Centrify Corporation Method and apparatus for providing secure internal directory service for hosted services
US10798057B2 (en) * 2013-02-12 2020-10-06 Centrify Corporation Method and apparatus for providing secure internal directory service for hosted services
US20140230042A1 (en) * 2013-02-12 2014-08-14 Centrify Corporation Method and apparatus for providing secure internal directory service for hosted services
US11750561B2 (en) * 2013-02-12 2023-09-05 Delinea Inc. Method and apparatus for providing secure internal directory service for hosted services
EP2933974A1 (en) * 2014-04-17 2015-10-21 HST High Soft Tech GmbH Method for telephone authentication of users of private or public networks for data exchange
US10999273B2 (en) 2014-07-01 2021-05-04 Samsung Electronics Co., Ltd. Method and apparatus for installing profile for eUICC
WO2016003200A1 (en) * 2014-07-01 2016-01-07 Samsung Electronics Co., Ltd. Method and apparatus for installing profile for euicc
US10609022B2 (en) 2014-07-01 2020-03-31 Samsung Electronics Co., Ltd. Method and apparatus for installing profile for EUICC
US10614473B2 (en) 2014-07-11 2020-04-07 Sensoriant, Inc. System and method for mediating representations with respect to user preferences
US10390289B2 (en) 2014-07-11 2019-08-20 Sensoriant, Inc. Systems and methods for mediating representations allowing control of devices located in an environment having broadcasting devices
US10701165B2 (en) 2015-09-23 2020-06-30 Sensoriant, Inc. Method and system for using device states and user preferences to create user-friendly environments
US11178240B2 (en) 2015-09-23 2021-11-16 Sensoriant, Inc. Method and system for using device states and user preferences to create user-friendly environments
CN106658450A (en) * 2015-11-04 2017-05-10 杭州络漫科技有限公司 Remote heterogeneous network mobile real-time communication method
US20170193249A1 (en) * 2016-01-05 2017-07-06 Nimrod Luria System and method for securing personal data elements
US9852309B2 (en) * 2016-01-05 2017-12-26 Prifender Ltd. System and method for securing personal data elements
US10609042B2 (en) * 2016-02-15 2020-03-31 Cisco Technology, Inc. Digital data asset protection policy using dynamic network attributes
US20170237747A1 (en) * 2016-02-15 2017-08-17 Cisco Technology, Inc. Digital asset protection policy using dynamic network attributes
US11288357B2 (en) 2016-11-07 2022-03-29 Samsung Electronics Co., Ltd. Apparatus and method for authenticating caller in communication system
US10601822B2 (en) * 2017-02-10 2020-03-24 Brett Littrell Multifactor authentication device
US20180234414A1 (en) * 2017-02-10 2018-08-16 Brett Littrell Multifactor Authentication Device
US10616174B1 (en) * 2017-06-23 2020-04-07 8X8, Inc. Customized telecommunication monitoring and alerts using a high-level programming interface
US11128595B1 (en) 2017-06-23 2021-09-21 8X8, Inc. Customized telecommunication monitoring and alerts using a high-level programming interface
US10861017B2 (en) * 2018-03-29 2020-12-08 Ncr Corporation Biometric index linking and processing
US20190303944A1 (en) * 2018-03-29 2019-10-03 Ncr Corporation Biometric index linking and processing
US10862757B2 (en) * 2018-08-07 2020-12-08 Dell Products L.P. Isolating a redirected biometric device to a remote session
US20200052970A1 (en) * 2018-08-07 2020-02-13 Dell Products L.P. Isolating a redirected biometric device to a remote session
US10630844B1 (en) * 2018-12-19 2020-04-21 T-Mobile Usa, Inc. Systems and methods for enhanced video call transfer
US11012576B2 (en) 2018-12-19 2021-05-18 T-Mobile Usa, Inc. Systems and methods for enhanced video call transfer
US10951773B2 (en) * 2019-03-05 2021-03-16 Textnow, Inc. Systems and methods for suggesting contacts
US20200288020A1 (en) * 2019-03-05 2020-09-10 Textnow, Inc. Systems and methods for suggesting contacts
US11778104B2 (en) 2019-03-05 2023-10-03 Textnow, Inc. Systems and methods for suggesting contacts
US20210385086A1 (en) * 2019-04-29 2021-12-09 Google Llc Systems and methods for distributed verification of online identity

Also Published As

Publication number Publication date
US8406421B2 (en) 2013-03-26
EP1811740A1 (en) 2007-07-25
EP1811740B1 (en) 2019-06-26
CN103647886B (en) 2016-10-05
CN103647886A (en) 2014-03-19

Similar Documents

Publication Publication Date Title
US8406421B2 (en) Method and system for multi-level secure personal profile management and access control to the enterprise multi-modal communication environment in heterogeneous convergent communication networks
US10313341B2 (en) System and method for identity authentication
US7899168B2 (en) Controlling or monitoring PBX phone from multiple PC endpoints
US6895558B1 (en) Multi-access mode electronic personal assistant
US6782413B1 (en) Distributed conference bridge
US7054819B1 (en) Voice print access to computer resources
US7460493B1 (en) Video conferencing system with dynamic call management and set-up
US7715547B2 (en) Voice XML network gateway
US9703943B2 (en) Pre-authenticated calling for voice applications
US9088645B2 (en) Intermediary device initiated caller identification
US7158776B1 (en) Techniques for voice-based user authentication for mobile access to network services
JP2004533146A (en) Selective property blocking in communication networks
JP2008509454A (en) How to define a serverless office architecture
US20020188725A1 (en) User verification service in a multimedia-capable network
US9819655B1 (en) Method and system for sensitive data abstraction
US7415106B2 (en) Network-based voice activated auto-attendant service with B2B connectors
US8934478B2 (en) Managing telephony services using multiple users within a telephony control point in a home network
US7519202B2 (en) System and method for secure bio-print and access methods
US20070005729A1 (en) Internet telephony through hosts
CN101422003B (en) Voip client information
Beltran et al. Identity management for Web business communications
US7564961B2 (en) Telephone port allocation method
Dilekci et al. Voice Over Internet Protocol

Legal Events

Date Code Title Description
AS Assignment

Owner name: LITESCAPE TECHNOLOGIES, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:KAMEN, VLADIMIR;NAIMI, FARZAD;ALIKHANI, KAYVAN;REEL/FRAME:017949/0732

Effective date: 20060525

AS Assignment

Owner name: PASSBAN, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:LITESCAPE TECHNOLOGIES, INC.;REEL/FRAME:028888/0042

Effective date: 20120710

STCF Information on status: patent grant

Free format text: PATENTED CASE

AS Assignment

Owner name: EMC CORPORATION, MASSACHUSETTS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:PASSBAN CORPORATION;REEL/FRAME:033231/0601

Effective date: 20130926

FEPP Fee payment procedure

Free format text: PAT HOLDER NO LONGER CLAIMS SMALL ENTITY STATUS, ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: STOL); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

AS Assignment

Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT, NORTH CAROLINA

Free format text: SECURITY AGREEMENT;ASSIGNORS:ASAP SOFTWARE EXPRESS, INC.;AVENTAIL LLC;CREDANT TECHNOLOGIES, INC.;AND OTHERS;REEL/FRAME:040134/0001

Effective date: 20160907

Owner name: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT, TEXAS

Free format text: SECURITY AGREEMENT;ASSIGNORS:ASAP SOFTWARE EXPRESS, INC.;AVENTAIL LLC;CREDANT TECHNOLOGIES, INC.;AND OTHERS;REEL/FRAME:040136/0001

Effective date: 20160907

Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLAT

Free format text: SECURITY AGREEMENT;ASSIGNORS:ASAP SOFTWARE EXPRESS, INC.;AVENTAIL LLC;CREDANT TECHNOLOGIES, INC.;AND OTHERS;REEL/FRAME:040134/0001

Effective date: 20160907

Owner name: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., A

Free format text: SECURITY AGREEMENT;ASSIGNORS:ASAP SOFTWARE EXPRESS, INC.;AVENTAIL LLC;CREDANT TECHNOLOGIES, INC.;AND OTHERS;REEL/FRAME:040136/0001

Effective date: 20160907

FPAY Fee payment

Year of fee payment: 4

AS Assignment

Owner name: EMC IP HOLDING COMPANY LLC, MASSACHUSETTS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:EMC CORPORATION;REEL/FRAME:040203/0001

Effective date: 20160906

AS Assignment

Owner name: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., T

Free format text: SECURITY AGREEMENT;ASSIGNORS:CREDANT TECHNOLOGIES, INC.;DELL INTERNATIONAL L.L.C.;DELL MARKETING L.P.;AND OTHERS;REEL/FRAME:049452/0223

Effective date: 20190320

Owner name: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., TEXAS

Free format text: SECURITY AGREEMENT;ASSIGNORS:CREDANT TECHNOLOGIES, INC.;DELL INTERNATIONAL L.L.C.;DELL MARKETING L.P.;AND OTHERS;REEL/FRAME:049452/0223

Effective date: 20190320

AS Assignment

Owner name: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., TEXAS

Free format text: SECURITY AGREEMENT;ASSIGNORS:CREDANT TECHNOLOGIES INC.;DELL INTERNATIONAL L.L.C.;DELL MARKETING L.P.;AND OTHERS;REEL/FRAME:053546/0001

Effective date: 20200409

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8

AS Assignment

Owner name: WYSE TECHNOLOGY L.L.C., CALIFORNIA

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: SCALEIO LLC, MASSACHUSETTS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: MOZY, INC., WASHINGTON

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: MAGINATICS LLC, CALIFORNIA

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: FORCE10 NETWORKS, INC., CALIFORNIA

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: EMC IP HOLDING COMPANY LLC, TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: EMC CORPORATION, MASSACHUSETTS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: DELL SYSTEMS CORPORATION, TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: DELL SOFTWARE INC., CALIFORNIA

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: DELL PRODUCTS L.P., TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: DELL MARKETING L.P., TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: DELL INTERNATIONAL, L.L.C., TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: DELL USA L.P., TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: CREDANT TECHNOLOGIES, INC., TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: AVENTAIL LLC, CALIFORNIA

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: ASAP SOFTWARE EXPRESS, INC., ILLINOIS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

AS Assignment

Owner name: SCALEIO LLC, MASSACHUSETTS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040136/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061324/0001

Effective date: 20220329

Owner name: EMC IP HOLDING COMPANY LLC (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO MOZY, INC.), TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040136/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061324/0001

Effective date: 20220329

Owner name: EMC CORPORATION (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO MAGINATICS LLC), MASSACHUSETTS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040136/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061324/0001

Effective date: 20220329

Owner name: DELL MARKETING CORPORATION (SUCCESSOR-IN-INTEREST TO FORCE10 NETWORKS, INC. AND WYSE TECHNOLOGY L.L.C.), TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040136/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061324/0001

Effective date: 20220329

Owner name: DELL PRODUCTS L.P., TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040136/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061324/0001

Effective date: 20220329

Owner name: DELL INTERNATIONAL L.L.C., TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040136/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061324/0001

Effective date: 20220329

Owner name: DELL USA L.P., TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040136/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061324/0001

Effective date: 20220329

Owner name: DELL MARKETING L.P. (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO CREDANT TECHNOLOGIES, INC.), TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040136/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061324/0001

Effective date: 20220329

Owner name: DELL MARKETING CORPORATION (SUCCESSOR-IN-INTEREST TO ASAP SOFTWARE EXPRESS, INC.), TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040136/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061324/0001

Effective date: 20220329

AS Assignment

Owner name: SCALEIO LLC, MASSACHUSETTS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (045455/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061753/0001

Effective date: 20220329

Owner name: EMC IP HOLDING COMPANY LLC (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO MOZY, INC.), TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (045455/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061753/0001

Effective date: 20220329

Owner name: EMC CORPORATION (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO MAGINATICS LLC), MASSACHUSETTS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (045455/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061753/0001

Effective date: 20220329

Owner name: DELL MARKETING CORPORATION (SUCCESSOR-IN-INTEREST TO FORCE10 NETWORKS, INC. AND WYSE TECHNOLOGY L.L.C.), TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (045455/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061753/0001

Effective date: 20220329

Owner name: DELL PRODUCTS L.P., TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (045455/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061753/0001

Effective date: 20220329

Owner name: DELL INTERNATIONAL L.L.C., TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (045455/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061753/0001

Effective date: 20220329

Owner name: DELL USA L.P., TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (045455/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061753/0001

Effective date: 20220329

Owner name: DELL MARKETING L.P. (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO CREDANT TECHNOLOGIES, INC.), TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (045455/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061753/0001

Effective date: 20220329

Owner name: DELL MARKETING CORPORATION (SUCCESSOR-IN-INTEREST TO ASAP SOFTWARE EXPRESS, INC.), TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (045455/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061753/0001

Effective date: 20220329